Hi Matt, I am also subscribed to oss-fuzz for Imaging.
Looks like someone added jxpath to oss-fuzz here: https://github.com/google/oss-fuzz/pull/7582 The initial oss-fuzz for ASF was, if I recall correctly, all put under a single project: https://github.com/google/oss-fuzz/tree/master/projects/apache-commons If you go one level higher in that repository link, you will see there are now other projects in oss-fuzz for other Commons components. The apache-commons project (that contains Imaging, Compress, and Geometry) had a custom policy, agreed in the mailing list and later with someone that maintained oss-fuzz, where ASF issues were not disclosed in 90 days, but instead gave us more time to align the issues with our ASF process. I am not sure if these other projects follow similar policy, nor if the ASF developers are aware of the integration (I only keep an eye on compress/imaging/geometry notifications from the apache-commons project). Also not sure whether it's better to have everything in a single project in oss-fuzz or in separate projects. I'm happy with Imaging being a single oss-fuzz project if needed, but I prefer to keep the policy of giving a longer time to review the issues. I try to review important issues quickly, but the ones that I know are very low priority or won't be fixed (e.g. OOM) I leave for later. Cheers Bruno On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> wrote: > I get emails about some of the Commons fuzzing things, but I was only > aware of it being enabled for compress and imaging. > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner > <wag...@code-intelligence.com> wrote: > > > > Hi all, > > > > I am working for Code Intelligence we did our best to find a maintainer > for > > the oss-fuzz project. Unfortunately we've got no feedback until now, but > It > > seems to be an unmaintained project except for some typo fixes since some > > years. I am not sure yet to which mailing list the bug report was send > to, > > but I will check that information with the team. > > > > However, I am really happy that there is some interest in fixing the > RCE. I > > have verified the vulnerability and for me it seems to be a valid > > RCE. @Mark Thomas should we continue to discuss further details via > > secur...@apache.org? > > > > Best regards > > Roman > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
