Greetings,
I have been fuzzing an open-source application which depends on VTK (9.5) as part of a security code audit and have identified a series of memory errors for a specific filetype parser in VTK.
Which would be the most appropriate channel to communicate the findings without directly releasing them?
Harry
The discourse is the right place to share this!
We can then create appropriate issue on our gitlab if/when needed.
Edit: I’ll check internally this is the right place.
I’ve fuzzed some VTK file readers too. Alas, there are lots of issues with the ones I tried. It has not made it to the top of my todo list, nor anyone else’s I suspect.
Patches welcome, as they say.
Hi! I know this is somewhat of an old post but has there been any updates to this? I am currently fuzzing various VTK file readers and potentially found some vulnerabilities as well. Just curious if they are similar in nature to what you found.
