Fuzzing is fun, and still there are easy-to-discover issues lurking in even widely used tools.

For example I setup a site where I require users to upload an SSH key (for access to a git repository), and figured I'd do what github, etc, do in the display - show the fingerprint.

Given an SSH key you can get a fingerprint like so:

     deagol ~ $ ssh-keygen -l -f ~/.ssh/id_rsa
     2048 4d:19:f2:de:ba:f6:06:31:98:af:9e:2a:di:ce:ca:b2 ~/.ssh/id_rsa.pub (RSA)

Can you imagine an SSH key causing ssh-keygen, or ssh to segfault? I found one over a weekend:

https://blog.steve.fi/so_about_that_idea_of_using_ssh_keygen...

I found similar issues with other well-known tools, for example a program that would cause GNU awk to segfault.

Really I should do more..

Yeah, AFL is an incredibly useful bit of work - I ran OpenJPEG through it and a number of reasonably actionable bug reports for the maintainers after a few hours. That class of tool used to be a LOT noisier.

There is one in that list for OpenBSD kernel in 2016. When tmpfs was removed from OpenBSD the reason given was "lack of maintenance". The problem found by afl had nothing to do with the decision?

The two are probably related, though you could ask on the mailing list to try to get a real answer.

My guess is that it was something like:

afl-fuzz: There is a bug in tmpfs

openbsd: Ok, who's responsible for fixing tmpfs.

everyone: ...

openbsd: Ok, no one is maintaining it. Let's go ahead and disable since there are alternatives, and no one is providing maintenance.