Version 1.0beta1 of Fusil
Release Notes: A fuzzer is now an executable program (instead of a file loaded by a Fusil script). Child processes are run as a different user and group to avoid removing arbitrary files or killing arbitrary processes. The session directory is renamed on success with strings like "invalid_read" or "timeout". For each session, a shell script is created to replay the session (and another to replay in gdb). python-ptrace is used to trace child processes (catch and diplay signals). A configuration file (~/.config/fusil.conf) is created. A session can be removed even if the directory contains generated files. There is improved Python 3.0 support.
Other releases
Release Notes: sys.path is set in replay.py to ease the usage of Fusil without installing it. fusil-gettext was fixed to ignore strace errors in locateMO(). In fusil-python, Python warnings are hidden, listAllModules() includes builtin modules, and a new "only-c" option was added. A memory leak was fixed by unloading tested modules. getFunctions() was fixed to use also isclass() to detect classes. Fusil process maximum memory limit was disabled.
Release Notes: A new fuzzer for Gimp (fusil-gimp) was created. The project Web site was moved to Bitbucket and the source code is now managed by Mercurial. Fusil has been optimized. For example, a binary file is used instead of a Unicode file to write code (WriteCode class), and the regex is not recompiled for each session (FileWatch class). Usage of Popen() for Windows was fixed. Fusil now depends on python-ptrace 0.6.
Release Notes: A user guide and a document index were written. The HOME environment variable is copied for GDB in the replay script. More file formats (bmp, gif, ico, png, svg) are supported in fusil-firefox. fusil-python writes errors to stderr to avoid Unicode errors (especially with Python3). FileWatch renames the session to "long_output" if the program wrote more than max_nbline lines. posix.fork() is blacklisted in fusil-python to avoid false positives.
Release Notes: replay.py now asks for confirmation if the fuzzer will not be running under a different user or as root. Even with --force-unsafe, a safety warning is shown if the fuzzer is running as the root user. Files for child processes are closed (close_fds=True). IntegerRangeGenerator was created in fusil.unicode_generator. EnvVarIntegerRange was created in fusil.process.env. A fusil-wizzard fuzzer was added. Timestamps are now written in session.log.
Release Notes: This release adds vlc and zzuf fuzzers, a replay.py script with many options (e.g. --valgrind), and a --force-unsafe option (like --unsafe but without the confirmation). It always uses a null device as stdin for child processes to avoid blocking the fuzzer if the process reads stdin. The created process identifier is written in the logs.
