[all] OSS Fuzz

Tue, 13 Apr 2021 09:49:29 -0700 

Hi all

I want to pick up (and finish) the discussion that started in
Compress[1].

Short Recap:
============

OSS Fuzz[2] runs fuzz testing for open source projects by invoking
methods of our code with random data looking for unexpected outcomes
(undeclared exceptions or worse code that never returns because it is
stuck in an infinite loop for example).

For Compress Fabian (who started [1]) has already identified and
reported several issues, one of which would have become a CVE if the
code in question had been part of any release of Compress. In the past
other people have run different fuzzers and found "interesting" results
in Compress as well.

Compress may be especially vulnerable as it basically tries to make
sense out of a bunch of user supplied bytes - but the same is probably
true for codec or imaging for example.

Fabian has offered to set up OSS Fuzz for Compress. Given that the
issues OSS Fuzz detects may or may not be security sensitive, I don't
feel it would be a good idea to have the tool send reports to a public
mailing list. Therefore I propose to create another subscription
moderated list just for these kinds of reports. I'm afraid it could be
too noisy for security@commons.

Proposal
========

Unless anybody objects until then I will create such a list (I believe
there is a self-service thingy for that, otherwise I'll ask the infra
folks) on the coming Sunday. I'd add myself as a moderator but we will
need more moderators. Also I'll gladly accept ideas for the name of the
list.

If there are objections against yet another mailing list I'll ask Fabian
to set things up using a private mail alias. If you want to receive the
messages as well, please tell me.

Cheers

        Stefan

[1] 
https://lists.apache.org/thread.html/rb34ea7d9272b8e600437ea705b13aba1bcc2f23ceb55880bce27e479%40%3Cdev.commons.apache.org%3E

[2] https://google.github.io/oss-fuzz/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to