+1 for oss fuzz. Fabian also got in contact a few days earlier, and asked me
about using it with Commons Imaging. I told him it had to be discussed here
first, but that I thought it could be useful (we are parsing several image file
formats, probably a few things could be improved).
As for the mailing list, for me it depends on the amount of messages, and
false-positives. i.e. if we get 50 e-mails in security@commons in one week, and
turns out only 1 is actually a security issue, and the others are either normal
bugs and no bugs, then eventually I think I'd just create a filter to move all
the security@commons to a folder and have a look someday.
I think we don't have any idea how many e-mails we might get enabling it for
one or for a few components. So I'd be OK with
- sending e-mails to security@commons initially, but if it spams the list with
non-security related e-mails, then move to a separate mailing list; OR
- create the new mailing list (probably private too? until we filter the
issues?) and use it for a few weeks/months. If the traffic is low, or most
issues are really security related, then move to security@commons if others
agree
Either way would be OK for me.
Cheers
Bruno
On Wednesday, 14 April 2021, 4:49:31 am NZST, Stefan Bodewig
<[email protected]> wrote:
Hi all
I want to pick up (and finish) the discussion that started in
Compress[1].
Short Recap:
============
OSS Fuzz[2] runs fuzz testing for open source projects by invoking
methods of our code with random data looking for unexpected outcomes
(undeclared exceptions or worse code that never returns because it is
stuck in an infinite loop for example).
For Compress Fabian (who started [1]) has already identified and
reported several issues, one of which would have become a CVE if the
code in question had been part of any release of Compress. In the past
other people have run different fuzzers and found "interesting" results
in Compress as well.
Compress may be especially vulnerable as it basically tries to make
sense out of a bunch of user supplied bytes - but the same is probably
true for codec or imaging for example.
Fabian has offered to set up OSS Fuzz for Compress. Given that the
issues OSS Fuzz detects may or may not be security sensitive, I don't
feel it would be a good idea to have the tool send reports to a public
mailing list. Therefore I propose to create another subscription
moderated list just for these kinds of reports. I'm afraid it could be
too noisy for security@commons.
Proposal
========
Unless anybody objects until then I will create such a list (I believe
there is a self-service thingy for that, otherwise I'll ask the infra
folks) on the coming Sunday. I'd add myself as a moderator but we will
need more moderators. Also I'll gladly accept ideas for the name of the
list.
If there are objections against yet another mailing list I'll ask Fabian
to set things up using a private mail alias. If you want to receive the
messages as well, please tell me.
Cheers
Stefan
[1]
https://lists.apache.org/thread.html/rb34ea7d9272b8e600437ea705b13aba1bcc2f23ceb55880bce27e479%40%3Cdev.commons.apache.org%3E
[2] https://google.github.io/oss-fuzz/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
