I've also posted this to my blog:
http://hboeck.de/archives/578-How-long-does-it-take-to-fix-a-crash-bug.html
About one year ago, Sam Hocevar posted some results on tests with his fuzzing
tool zzuf, which showed a large number of crashes in various applications,
especially multimedia apps.
http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
http://sam.zoy.org/zzuf/
Debian-specific: no
CVE Id : CVE-2009-1440
Debian Bug : 525078
Sam Hocevar discovered that amule, a client for the eD2k and Kad
networks, does not properly sanitise the filename, when using the
preview function. This could lead to the injection of arbitrary commands
passed to the video player.
For the stable distribution (lenny), this problem has been fixed in
1 net-p2p/amule < 2.2.5 >= 2.2.5
Description
===========
Sam Hocevar discovered that the aMule preview function does not
properly sanitize file names.
Impact
======
GNAA
my cat, Gary C. Berries for being the initial discoverer of this vulnerability
g0udatron[gapp], Rucas, Jacksonbrown, Hephaestus Security
sloth, Joseph Evers, girlvinyl, Sam Hocevar,
Jesus Christ the once and future king,
and all men who love merriment
