Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Tero Saarni
On Tuesday, May 25, 2021 00:04 Bernd wrote: > BTW: I was not Aware that JFrog has its own vulnerability feed, is that the > Snyk Knowledge Base or do they have their own analysts? They used to use Snyk, but since few years ago they say it is based on VulnDB from Risk Based Security. -- Tero [1]

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Stefan Bodewig
On 2021-05-24, Bernd wrote: > Am Mo., 24. Mai 2021 um 20:46 Uhr schrieb Matt Sicker : >> There's also a bit of an issue of fixing these types of >> vulnerabilities at the library level. The library itself typically >> won't have much in the way of a security model until you integrate it >> into a

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Bernd
Hello, Am Mo., 24. Mai 2021 um 20:46 Uhr schrieb Matt Sicker : > There's also a bit of an issue of fixing these types of > vulnerabilities at the library level. The library itself typically > won't have much in the way of a security model until you integrate it > into an application. That is tr

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Matt Sicker
There's also a bit of an issue of fixing these types of vulnerabilities at the library level. The library itself typically won't have much in the way of a security model until you integrate it into an application. For example, if you only use commons-compress on trusted input, then even high availa

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Fabian Meumertzheim
The JFrog reports seem to reference the following two OSS-Fuzz findings, which have not been classified as security issues: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34437 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33959 OSS-Fuzz and Jazzer, its Java fuzzer, never mark unca

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Stefan Bodewig
On 2021-05-24, Tero Saarni wrote: > We are getting reports from JFrog Xray vulnerability scanner that seem > to be related to recently fixed OSS-Fuzz issues: I wasn't aware of this effect. This is very unfortunate. > * Summary: Apache Commons Compress archivers/zip/ZipFile.java > ZipFile::read

OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Tero Saarni
Hi, We are getting reports from JFrog Xray vulnerability scanner that seem to be related to recently fixed OSS-Fuzz issues: * Summary: Apache Commons Compress archivers/zip/ZipFile.java ZipFile::readCentralDirectoryEntry() Function Uncaught Exception DoS Severity: High * Summary: Apache Comm