The JIRA issue linked appears to be one of those reported based on the existing CVE's that were generated for jxpath.
I opened the CVE, and the link is to an oss-fuzz bug indeed: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 If you look at the left side bar, there is a list of people notified of this issue. It should match what's in the project.yaml file I linked above in GitHub oss-fuzz repository. As far as I know, that OSS Fuzz fuzzing issue was reported to those parties, but unfortunately didn't reach a developer in commons able to work following our security process to tackle the issue and release a new version. -Bruno On Tue, 11 Oct 2022 at 10:36, Bruno Kinoshita <ki...@apache.org> wrote: > Hi Eric, > > As far as I know, there is no integration between issues found in OSS Fuzz > and our JIRA. Issues reported in OSS Fuzz exist only there. And security > issues shouldn't go to JIRA if possible (according to ASF's security > policies, I believe?). > > Here's the workflow I have been using for Commons Imaging: > > > 1. View issues > 1. Log in to oss-fuzz.com with my GitHub log in (there's a Google > one too). It recognizes that my email is authorized to view oss-fuzz > issues > for the apache-commons project, so it shows the “Testcases” with crashes > for the fuzzer. OR > 2. Get the direct link to a Testcase from an email from > 2. Expand a Testcase > 3. Read the Stacktrace > 4. Download the Unminimized Testcase - this is the payload used for > testing, in the case of Imaging this is normally a PNG, GIF, etc. image > file that was automatically generated by the fuzzer > 5. Test with Commons Imaging and other tools to validate the issue > (e.g. GIMP, exiftool, etc) > 1. If I reproduce it locally, and identify as something that > doesn't need to be fixed (e.g. a file with a thumbnail that wants to > allocate 10GB of memory in a 2GB JVM/server) then I can mark the > testcase > as not security or fixed > 2. If I reproduce it locally and the issue is indeed a security > issue, then I prepare a fix and work following the Apache Commons > Security > guidelines: https://commons.apache.org/security.html > > This way OSS Fuzz issues contribute positively to the project, identifying > issues I or other maintainers wouldn't have picked otherwise. We follow the > Commons and ASF security process as best as we can as volunteers (i.e. > within a time frame we can allocate to work on this issue) to fix the issue > and prepare a CVE if needed, cutting a new release. > > This is the complete process that I've used in Imaging. Not sure if jxpath > must follow the same process, but I guess it would be something similar, or > at least according to Commons & ASF security guidelines and processes. > > -Bruno > > > On Tue, 11 Oct 2022 at 10:25, Eric Bresie <ebre...@gmail.com> wrote: > >> Or is that this >> https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues >> >> Get Outlook for iOS<https://aka.ms/o0ukef> >> ________________________________ >> From: Eric Bresie <ebre...@gmail.com> >> Sent: Monday, October 10, 2022 4:22:42 PM >> To: Commons Developers List <dev@commons.apache.org> >> Subject: Re: [jxpath] reported CVE and path forward >> >> So then discussed here (1) (which assume is what’s being done here) and >> bugs raised here (2)? Has (2) been done yet? >> >> 1. https://commons.apache.org/proper/commons-jxpath/mail-lists.html >> 2. >> https://commons.apache.org/proper/commons-jxpath/issue-tracking.html >> >> >> Get Outlook for iOS<https://aka.ms/o0ukef> >> ________________________________ >> From: Bruno Kinoshita <ki...@apache.org> >> Sent: Monday, October 10, 2022 4:15:03 PM >> To: Commons Developers List <dev@commons.apache.org> >> Subject: Re: [jxpath] reported CVE and path forward >> >> Hi Eric, >> >> For my understanding, is oss-fuzz an open source project that is >> maintained >> > and managed by Google (and is not an Apache project) but is for “fuzz >> > testing” with portion focused on Apache common products? >> > >> >> That's my understanding too, although I am not sure if it is maintained >> and >> managed solely by Google. But you are correct in that oss-fuzz is not an >> Apache project. It is an external service similar to GitHub Actions, >> Dependabot, Codecov, etc. >> >> So am I correct in saying run oss-fuzz against Apache-common, which may >> > find problems in commons. So any findings would be identified as a bug >> and >> > fix as applicable? >> > >> >> That sounds correct to me. >> >> There is an apache-commons oss-fuzz project created in the oss-fuzz GitHub >> repository. That becomes a project in the oss-fuzz web system which I and >> other ASF members have access to - anyone from ASF can request access: >> https://oss-fuzz.com >> >> It was created some time ago, and Commons Imaging was one of the first >> included. We (ASF Commons) were involved in setting up that project, so >> that someone from ASF would receive notifications (by being CC'ed in >> oss-fuzz notifications). We decided against using the dev-list, so only >> those that volunteered at the time receive emails. >> >> I checked the GitHub repository today, and found other Commons Components, >> that are not part of the apache-commons project, and that have the >> notifications configured to emails of a security company. So in this case >> the findings in Commons repositories would be identified as a bug and >> report to that company, without - as far as I can tell - involvement of >> ASF >> Commons devs. >> >> Hope that clarifies, >> >> Bruno >> >> >> On Tue, 11 Oct 2022 at 10:06, Eric Bresie <ebre...@gmail.com> wrote: >> >> > For my understanding, is oss-fuzz an open source project that is >> > maintained and managed by Google (and is not an Apache project) but is >> for >> > “fuzz testing” with portion focused on Apache common products? >> > >> > So am I correct in saying run oss-fuzz against Apache-common, which may >> > find problems in commons. So any findings would be identified as a bug >> and >> > fix as applicable? >> > >> > >> > Get Outlook for iOS<https://aka.ms/o0ukef> >> > ________________________________ >> > From: Bruno Kinoshita <ki...@apache.org> >> > Sent: Monday, October 10, 2022 3:51:30 PM >> > To: Commons Developers List <dev@commons.apache.org> >> > Subject: Re: Re: [jxpath] reported CVE and path forward >> > >> > Hi Matt, >> > >> > I am also subscribed to oss-fuzz for Imaging. >> > >> > Looks like someone added jxpath to oss-fuzz here: >> > https://github.com/google/oss-fuzz/pull/7582 >> > >> > The initial oss-fuzz for ASF was, if I recall correctly, all put under a >> > single project: >> > https://github.com/google/oss-fuzz/tree/master/projects/apache-commons >> > >> > If you go one level higher in that repository link, you will see there >> are >> > now other projects in oss-fuzz for other Commons components. >> > >> > The apache-commons project (that contains Imaging, Compress, and >> Geometry) >> > had a custom policy, agreed in the mailing list and later with someone >> that >> > maintained oss-fuzz, where ASF issues were not disclosed in 90 days, but >> > instead gave us more time to align the issues with our ASF process. >> > >> > I am not sure if these other projects follow similar policy, nor if the >> ASF >> > developers are aware of the integration (I only keep an eye on >> > compress/imaging/geometry notifications from the apache-commons >> project). >> > Also not sure whether it's better to have everything in a single >> project in >> > oss-fuzz or in separate projects. I'm happy with Imaging being a single >> > oss-fuzz project if needed, but I prefer to keep the policy of giving a >> > longer time to review the issues. I try to review important issues >> quickly, >> > but the ones that I know are very low priority or won't be fixed (e.g. >> OOM) >> > I leave for later. >> > >> > Cheers >> > Bruno >> > >> > On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> wrote: >> > >> > > I get emails about some of the Commons fuzzing things, but I was only >> > > aware of it being enabled for compress and imaging. >> > > >> > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner >> > > <wag...@code-intelligence.com> wrote: >> > > > >> > > > Hi all, >> > > > >> > > > I am working for Code Intelligence we did our best to find a >> maintainer >> > > for >> > > > the oss-fuzz project. Unfortunately we've got no feedback until now, >> > but >> > > It >> > > > seems to be an unmaintained project except for some typo fixes since >> > some >> > > > years. I am not sure yet to which mailing list the bug report was >> send >> > > to, >> > > > but I will check that information with the team. >> > > > >> > > > However, I am really happy that there is some interest in fixing the >> > > RCE. I >> > > > have verified the vulnerability and for me it seems to be a valid >> > > > RCE. @Mark Thomas should we continue to discuss further details via >> > > > secur...@apache.org? >> > > > >> > > > Best regards >> > > > Roman >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > > For additional commands, e-mail: dev-h...@commons.apache.org >> > > >> > > >> > >> >
