Hi Bruno, hi Eric, I think we've just missed the discussion that you want to get notifications about Bug reports for all apache-commons projects integrated in oss-fuzz. For that reason, we have tried to reach to the projects maintainers via public issues for every new project during the onboarding. Since we are not focusing only on apache commons software we are not familiar with your internal process, however we are flexible to adopt. We are very interested in any collaboration with maintainers if we are able to reach them. From your discussion I suggest that we first of all give you access to all those projects and later on merge those different oss-fuzz projects into one project. Which email addresses should we add? In appache-commons there are the following four:
- fuzz-test...@commons.apache.org - brunodepau...@gmail.com - peteralfred...@gmail.com - boa...@gmail.com Should I add all of them? Should I add any additional mail address? Best regards Roman On Tue, Oct 11, 2022 at 12:13 AM Bruno Kinoshita <ki...@apache.org> wrote: > Hi Matt, > > I don't think this fuzz project should be making any of these issues > > public unless they plan to donate some developers to fix the issues, > > too. This is an ASF project, not some Google-sponsored OSS project > > staffed with Google employees. > > > > I agree. This was the reason for the apache-commons project with a > different policy. > > In my opinion, the issue here is a company that profits from security > testing services/software-as-service setting up oss-fuzz to send > notifications to their internal team. Even though they say they tried to > communicate with us, a delay in having a response should not mean they must > make it public anyway. > > It would be fine (again, IMO) to bring those Commons components under the > apache-commons oss-fuzz project, and remove the existing projects that do > not notify anyone from the ASF. That way we would receive notifications and > could take some action to fix it. > > Bruno > > On Tue, 11 Oct 2022 at 10:57, Matt Sicker <boa...@gmail.com> wrote: > > > I don't think this fuzz project should be making any of these issues > > public unless they plan to donate some developers to fix the issues, > > too. This is an ASF project, not some Google-sponsored OSS project > > staffed with Google employees. > > > > On Mon, Oct 10, 2022 at 4:41 PM Bruno Kinoshita <ki...@apache.org> > wrote: > > > > > > The JIRA issue linked appears to be one of those reported based on the > > > existing CVE's that were generated for jxpath. > > > > > > I opened the CVE, and the link is to an oss-fuzz bug indeed: > > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 > > > > > > If you look at the left side bar, there is a list of people notified of > > > this issue. It should match what's in the project.yaml file I linked > > above > > > in GitHub oss-fuzz repository. As far as I know, that OSS Fuzz fuzzing > > > issue was reported to those parties, but unfortunately didn't reach a > > > developer in commons able to work following our security process to > > tackle > > > the issue and release a new version. > > > > > > -Bruno > > > > > > On Tue, 11 Oct 2022 at 10:36, Bruno Kinoshita <ki...@apache.org> > wrote: > > > > > > > Hi Eric, > > > > > > > > As far as I know, there is no integration between issues found in OSS > > Fuzz > > > > and our JIRA. Issues reported in OSS Fuzz exist only there. And > > security > > > > issues shouldn't go to JIRA if possible (according to ASF's security > > > > policies, I believe?). > > > > > > > > Here's the workflow I have been using for Commons Imaging: > > > > > > > > > > > > 1. View issues > > > > 1. Log in to oss-fuzz.com with my GitHub log in (there's a > > Google > > > > one too). It recognizes that my email is authorized to view > > oss-fuzz issues > > > > for the apache-commons project, so it shows the “Testcases” > with > > crashes > > > > for the fuzzer. OR > > > > 2. Get the direct link to a Testcase from an email from > > > > 2. Expand a Testcase > > > > 3. Read the Stacktrace > > > > 4. Download the Unminimized Testcase - this is the payload used > for > > > > testing, in the case of Imaging this is normally a PNG, GIF, etc. > > image > > > > file that was automatically generated by the fuzzer > > > > 5. Test with Commons Imaging and other tools to validate the issue > > > > (e.g. GIMP, exiftool, etc) > > > > 1. If I reproduce it locally, and identify as something that > > > > doesn't need to be fixed (e.g. a file with a thumbnail that > > wants to > > > > allocate 10GB of memory in a 2GB JVM/server) then I can mark > the > > testcase > > > > as not security or fixed > > > > 2. If I reproduce it locally and the issue is indeed a security > > > > issue, then I prepare a fix and work following the Apache > > Commons Security > > > > guidelines: https://commons.apache.org/security.html > > > > > > > > This way OSS Fuzz issues contribute positively to the project, > > identifying > > > > issues I or other maintainers wouldn't have picked otherwise. We > > follow the > > > > Commons and ASF security process as best as we can as volunteers > (i.e. > > > > within a time frame we can allocate to work on this issue) to fix the > > issue > > > > and prepare a CVE if needed, cutting a new release. > > > > > > > > This is the complete process that I've used in Imaging. Not sure if > > jxpath > > > > must follow the same process, but I guess it would be something > > similar, or > > > > at least according to Commons & ASF security guidelines and > processes. > > > > > > > > -Bruno > > > > > > > > > > > > On Tue, 11 Oct 2022 at 10:25, Eric Bresie <ebre...@gmail.com> wrote: > > > > > > > >> Or is that this > > > >> > > > https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues > > > >> > > > >> Get Outlook for iOS<https://aka.ms/o0ukef> > > > >> ________________________________ > > > >> From: Eric Bresie <ebre...@gmail.com> > > > >> Sent: Monday, October 10, 2022 4:22:42 PM > > > >> To: Commons Developers List <dev@commons.apache.org> > > > >> Subject: Re: [jxpath] reported CVE and path forward > > > >> > > > >> So then discussed here (1) (which assume is what’s being done here) > > and > > > >> bugs raised here (2)? Has (2) been done yet? > > > >> > > > >> 1. > > https://commons.apache.org/proper/commons-jxpath/mail-lists.html > > > >> 2. > > > >> > https://commons.apache.org/proper/commons-jxpath/issue-tracking.html > > > >> > > > >> > > > >> Get Outlook for iOS<https://aka.ms/o0ukef> > > > >> ________________________________ > > > >> From: Bruno Kinoshita <ki...@apache.org> > > > >> Sent: Monday, October 10, 2022 4:15:03 PM > > > >> To: Commons Developers List <dev@commons.apache.org> > > > >> Subject: Re: [jxpath] reported CVE and path forward > > > >> > > > >> Hi Eric, > > > >> > > > >> For my understanding, is oss-fuzz an open source project that is > > > >> maintained > > > >> > and managed by Google (and is not an Apache project) but is for > > “fuzz > > > >> > testing” with portion focused on Apache common products? > > > >> > > > > >> > > > >> That's my understanding too, although I am not sure if it is > > maintained > > > >> and > > > >> managed solely by Google. But you are correct in that oss-fuzz is > not > > an > > > >> Apache project. It is an external service similar to GitHub Actions, > > > >> Dependabot, Codecov, etc. > > > >> > > > >> So am I correct in saying run oss-fuzz against Apache-common, which > > may > > > >> > find problems in commons. So any findings would be identified as > a > > bug > > > >> and > > > >> > fix as applicable? > > > >> > > > > >> > > > >> That sounds correct to me. > > > >> > > > >> There is an apache-commons oss-fuzz project created in the oss-fuzz > > GitHub > > > >> repository. That becomes a project in the oss-fuzz web system which > I > > and > > > >> other ASF members have access to - anyone from ASF can request > access: > > > >> https://oss-fuzz.com > > > >> > > > >> It was created some time ago, and Commons Imaging was one of the > first > > > >> included. We (ASF Commons) were involved in setting up that project, > > so > > > >> that someone from ASF would receive notifications (by being CC'ed in > > > >> oss-fuzz notifications). We decided against using the dev-list, so > > only > > > >> those that volunteered at the time receive emails. > > > >> > > > >> I checked the GitHub repository today, and found other Commons > > Components, > > > >> that are not part of the apache-commons project, and that have the > > > >> notifications configured to emails of a security company. So in this > > case > > > >> the findings in Commons repositories would be identified as a bug > and > > > >> report to that company, without - as far as I can tell - involvement > > of > > > >> ASF > > > >> Commons devs. > > > >> > > > >> Hope that clarifies, > > > >> > > > >> Bruno > > > >> > > > >> > > > >> On Tue, 11 Oct 2022 at 10:06, Eric Bresie <ebre...@gmail.com> > wrote: > > > >> > > > >> > For my understanding, is oss-fuzz an open source project that is > > > >> > maintained and managed by Google (and is not an Apache project) > but > > is > > > >> for > > > >> > “fuzz testing” with portion focused on Apache common products? > > > >> > > > > >> > So am I correct in saying run oss-fuzz against Apache-common, > which > > may > > > >> > find problems in commons. So any findings would be identified as > a > > bug > > > >> and > > > >> > fix as applicable? > > > >> > > > > >> > > > > >> > Get Outlook for iOS<https://aka.ms/o0ukef> > > > >> > ________________________________ > > > >> > From: Bruno Kinoshita <ki...@apache.org> > > > >> > Sent: Monday, October 10, 2022 3:51:30 PM > > > >> > To: Commons Developers List <dev@commons.apache.org> > > > >> > Subject: Re: Re: [jxpath] reported CVE and path forward > > > >> > > > > >> > Hi Matt, > > > >> > > > > >> > I am also subscribed to oss-fuzz for Imaging. > > > >> > > > > >> > Looks like someone added jxpath to oss-fuzz here: > > > >> > https://github.com/google/oss-fuzz/pull/7582 > > > >> > > > > >> > The initial oss-fuzz for ASF was, if I recall correctly, all put > > under a > > > >> > single project: > > > >> > > > https://github.com/google/oss-fuzz/tree/master/projects/apache-commons > > > >> > > > > >> > If you go one level higher in that repository link, you will see > > there > > > >> are > > > >> > now other projects in oss-fuzz for other Commons components. > > > >> > > > > >> > The apache-commons project (that contains Imaging, Compress, and > > > >> Geometry) > > > >> > had a custom policy, agreed in the mailing list and later with > > someone > > > >> that > > > >> > maintained oss-fuzz, where ASF issues were not disclosed in 90 > > days, but > > > >> > instead gave us more time to align the issues with our ASF > process. > > > >> > > > > >> > I am not sure if these other projects follow similar policy, nor > if > > the > > > >> ASF > > > >> > developers are aware of the integration (I only keep an eye on > > > >> > compress/imaging/geometry notifications from the apache-commons > > > >> project). > > > >> > Also not sure whether it's better to have everything in a single > > > >> project in > > > >> > oss-fuzz or in separate projects. I'm happy with Imaging being a > > single > > > >> > oss-fuzz project if needed, but I prefer to keep the policy of > > giving a > > > >> > longer time to review the issues. I try to review important issues > > > >> quickly, > > > >> > but the ones that I know are very low priority or won't be fixed > > (e.g. > > > >> OOM) > > > >> > I leave for later. > > > >> > > > > >> > Cheers > > > >> > Bruno > > > >> > > > > >> > On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> > wrote: > > > >> > > > > >> > > I get emails about some of the Commons fuzzing things, but I was > > only > > > >> > > aware of it being enabled for compress and imaging. > > > >> > > > > > >> > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner > > > >> > > <wag...@code-intelligence.com> wrote: > > > >> > > > > > > >> > > > Hi all, > > > >> > > > > > > >> > > > I am working for Code Intelligence we did our best to find a > > > >> maintainer > > > >> > > for > > > >> > > > the oss-fuzz project. Unfortunately we've got no feedback > until > > now, > > > >> > but > > > >> > > It > > > >> > > > seems to be an unmaintained project except for some typo fixes > > since > > > >> > some > > > >> > > > years. I am not sure yet to which mailing list the bug report > > was > > > >> send > > > >> > > to, > > > >> > > > but I will check that information with the team. > > > >> > > > > > > >> > > > However, I am really happy that there is some interest in > > fixing the > > > >> > > RCE. I > > > >> > > > have verified the vulnerability and for me it seems to be a > > valid > > > >> > > > RCE. @Mark Thomas should we continue to discuss further > details > > via > > > >> > > > secur...@apache.org? > > > >> > > > > > > >> > > > Best regards > > > >> > > > Roman > > > >> > > > > > >> > > > > --------------------------------------------------------------------- > > > >> > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > >> > > For additional commands, e-mail: dev-h...@commons.apache.org > > > >> > > > > > >> > > > > > >> > > > > >> > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > -- Roman Wagner Application Security Engineer Code Intelligence Rheinwerkallee 6 53227 Bonn Amtsgericht Bonn HRB 23408 Geschäftsführer: Sergej Dechand, Dr. Khaled Yakdan
