Bug 459016 - Review Request: bunny - Instrumented C code security fuzzer
Review Request: bunny - Instrumented C code security fuzzer
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Debarshi Ray
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 469055 469057 469058
  Show dependency treegraph
 
Reported: 2008-08-13 15:28 EDT by Rakesh Pandit
Modified: 2008-11-11 21:58 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 14:45:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
debarshir: fedora‑review+
huzaifas: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Rakesh Pandit 2008-08-13 15:28:40 EDT
Description:
A closed loop, high-performance, general purpose protocol-blind fuzzer
for C programs.  Uses compiler-level integration to seamlessly inject
precise and reliable instrumentation hooks into the traced
program. These hooks enable the fuzzer to receive real-time feedback
on changes to the function call path, call parameters, and return
values in response to variations in input data.  This architecture
makes it possible to significantly improve the coverage of the testing
process without a noticeable performance impact usually associated
with other attempts to peek into run-time internals.

SPEC:http://rakesh.fedorapeople.org/spec/bunny.spec 
SRPM:http://rakesh.fedorapeople.org/srpm/bunny-0.93-1.fc9.src.rpm
Comment 1 Rakesh Pandit 2008-08-13 15:28:58 EDT
ExcludedArch: ppc ppc64
The package dynamically writes x86 code and is specially for x86(uses asm)
Comment 2 Debarshi Ray 2008-10-14 18:20:56 EDT
MUST Items: 

OK - rpmlint is clean
OK - follows Naming Guidelines
OK - spec file is named as %{name}.spec

xx - package does not meet Packaging Guidelines
    + Instead of just replacing -03 with -02 in the Makefile, you should try to
      use the value of RPM_OPT_FLAGS or %{optflags} as CFLAGS. See
      https://fedoraproject.org/wiki/Packaging/Guidelines#Compiler_flags
      In this case, you could use:
      make CFLAGS=$RPM_OPT_FLAGS
    + According to
      https://fedoraproject.org/wiki/Packaging/Guidelines#Timestamps you
      should use 'install -p'.
    + You could consider adding CHANGES to %doc as it gives an indication of
      the direction the project is taking.

OK - license meets Licensing Guidelines
OK - License field meets actual license
OK - upstream license file included in %doc
OK - spec file uses American English
OK - spec file is legible
OK - sources match upstream sources
OK - package builds successfully

xx - ExcludeArch is needed
     The upstream page (http://code.google.com/p/bunny-the-fuzzer/) says:
     "Bunny is currently known to support Linux, ... on IA32 and IA64
     systems."
     One should note that IA64 is different from x86_64 or amd64. So it would
     be a good idea to cross-check whether IA64 has been mistakenly used to
     refer to x86_64 or amd64, and whether x86_64 or amd64 is supported or not.
     I think that x86_64 is supported since it seemed to work with gcc.x86_64.
     In case IA64 has been mistakenly used, we should ExcludeArch ia64,
     alongwith the other secondary architectures (ie., alpha, arm, s390, sparc)
     which might not be supported.

OK - build dependencies correctly listed
OK - no locales
OK - no shared libraries
OK - package is not relocatable
OK - file and directory ownership
OK - no duplicates in %file
OK - file permissions set properly
OK - %clean present
OK - macros used consistently
OK - contains code and permissable content
OK - -doc is not needed
OK - contents of %doc does not affect the runtime
OK - no header files
OK - no static libraries
OK - no pkgconfig files
OK - no library files
OK - -devel is not needed
OK - no libtool archives
OK - %{name}.desktop file not needed
OK - does not own files or directories owned by other packages
OK - buildroot correctly prepped
OK - all file names valid UTF-8

SHOULD Items:

OK - upstream provides license text
xx - no translations for description and summary
OK - package builds in mock successfully
OK - package builds on all supported architectures
OK - package functions as expected
OK - scriptlets are not needed
OK - subpackages are not needed
OK - no pkgconfig files
OK - no file dependencies
Comment 3 Rakesh Pandit 2008-10-24 01:26:33 EDT
xx - package does not meet Packaging Guidelines
    + Instead of just replacing -03 with -02 in the Makefile, you should try to
      use the value of RPM_OPT_FLAGS or %{optflags} as CFLAGS. See
      https://fedoraproject.org/wiki/Packaging/Guidelines#Compiler_flags
      In this case, you could use:
      make CFLAGS=$RPM_OPT_FLAGS

It has a hand coded Makefile with hard written CFLAGS so replacing seems to me okay


    + According to
      https://fedoraproject.org/wiki/Packaging/Guidelines#Timestamps you
      should use 'install -p'.

Done

    + You could consider adding CHANGES to %doc as it gives an indication of
      the direction the project is taking.

Done

xx - ExcludeArch is needed
     The upstream page (http://code.google.com/p/bunny-the-fuzzer/) says:
     "Bunny is currently known to support Linux, ... on IA32 and IA64
     systems."
     One should note that IA64 is different from x86_64 or amd64. So it would
     be a good idea to cross-check whether IA64 has been mistakenly used to
     refer to x86_64 or amd64, and whether x86_64 or amd64 is supported or not.
     I think that x86_64 is supported since it seemed to work with gcc.x86_64.
     In case IA64 has been mistakenly used, we should ExcludeArch ia64,
     alongwith the other secondary architectures (ie., alpha, arm, s390, sparc)
     which might not be supported.

From http://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc 

"""The only platforms known to work fine are Linux, flavors of BSD, and Cygwin on IA32 platforms. Support for 64-bit and other unix systems is not confirmed. There is no support for non-x86 architectures, although this requires very few tweaks to correct. """

so ia32 it works. ia64 and other non-x86 need to be excluded.


Done

http://rakesh.fedorapeople.org/srpm/bunny-0.93-2.fc10.src.rpm -> SRPM
http://rakesh.fedorapeople.org/spec/bunny.spec -> SPEC
Comment 4 Rakesh Pandit 2008-10-24 02:02:33 EDT
>It has a hand coded Makefile with hard written CFLAGS so replacing seems to me
>okay

Fixed. It highlights the whole messy code written. I will notify upstream about it.

Moved ia64 to secondary architectures list. 

Fixed.


http://rakesh.fedorapeople.org/spec/bunny.spec
http://rakesh.fedorapeople.org/srpm/bunny-0.93-3.fc10.src.rpm
Comment 5 Debarshi Ray 2008-10-24 03:29:17 EDT
>     + You could consider adding CHANGES to %doc as it gives an indication of
>       the direction the project is taking.
> 
> Done

I think you forgot to add it. :-)

> xx - ExcludeArch is needed
>      The upstream page (http://code.google.com/p/bunny-the-fuzzer/) says:
>      "Bunny is currently known to support Linux, ... on IA32 and IA64
>      systems."
>      One should note that IA64 is different from x86_64 or amd64. So it would
>      be a good idea to cross-check whether IA64 has been mistakenly used to
>      refer to x86_64 or amd64, and whether x86_64 or amd64 is supported or not.
>      I think that x86_64 is supported since it seemed to work with gcc.x86_64.
>      In case IA64 has been mistakenly used, we should ExcludeArch ia64,
>      alongwith the other secondary architectures (ie., alpha, arm, s390, sparc)
>      which might not be supported.
> 
> From http://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc 
> 
> """The only platforms known to work fine are Linux, flavors of BSD, and Cygwin
> on IA32 platforms. Support for 64-bit and other unix systems is not confirmed.
> There is no support for non-x86 architectures, although this requires very few
> tweaks to correct. """
> 
> so ia32 it works. ia64 and other non-x86 need to be excluded.

Although x86_64 is not ia32 bunny seems to work on Fedora 9 x86_64 for me. I am not sure about this particular architecture.
Comment 6 Rakesh Pandit 2008-10-24 03:40:09 EDT
>I think you forgot to add it. :-)

Aah! yes.
Included now.

it works on x86.

http://rakesh.fedorapeople.org/srpm/bunny-0.93-4.fc10.src.rpm
http://rakesh.fedorapeople.org/spec/bunny.spec
Comment 7 Debarshi Ray 2008-10-29 11:09:21 EDT
+---------------------------------+
| This package is APPROVED by me. |
+---------------------------------+

However:

+ Building the package on Fedora 9 x86_64 spews a large number of compiler warnings. Those may look harmless but can cause quite a pain at times. What does upstream have to say?

+ Please remember to block ExcludeArch blocker bugs of all the architectures that are not supported.
Comment 8 Rakesh Pandit 2008-10-29 11:18:58 EDT
no reply till now. But upstream is active. Waiting for response. These warnings are very easy to fix.

Yeah - I will block ExcludeArch blocker Bugs before importing.
Comment 9 Rakesh Pandit 2008-10-29 11:20:36 EDT
New Package CVS Request
=======================
Package Name: bunny
Short Description: Instrumented C code security fuzzer
Owners: rakesh
Branches: F-8 F-9
InitialCC: rakesh
Cvsextras Commits: yes
Comment 10 Huzaifa S. Sidhpurwala 2008-10-29 11:34:44 EDT
cvs done
Comment 11 Fedora Update System 2008-10-29 14:34:20 EDT
bunny-0.93-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bunny-0.93-5.fc9
Comment 12 Fedora Update System 2008-10-29 14:35:19 EDT
bunny-0.93-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bunny-0.93-5.fc8
Comment 13 Fedora Update System 2008-11-11 21:56:55 EST
bunny-0.93-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-11 21:58:05 EST
bunny-0.93-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.