Sure, I can take a look, but it might be a few days or longer. Be aware that jxpath is not as active a component as some of our others. There is also might not be original authors left around to evaluate and opine, so we'll have to be careful.
Gary On Sat, Oct 15, 2022, 07:31 Khaled Yakdan <yak...@code-intelligence.com> wrote: > Hi all, > > We have submitted a PR to fix the vulnerability based on an allow list: > https://github.com/apache/commons-jxpath/pull/26 > > With this fix, no classes are allowed by default unless users explicitly > specify which classes are allowed using a system property. Are there any > volunteers who can have a look at the PR and merge it once approved? > > Cheers, > Khaled > > On 2022/10/11 15:25:06 Mike Drob wrote: > > Thanks for this outline, Mark. Some questions in line. > > > > Mike > > > > On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas <ma...@apache.org> wrote: > > > > > Roman - don't do anything yet. > > > > > > Commons folk, I suggest the following which is based on how we have > > > oss-fuzz setup on Tomcat. > > > > > > 1. Create a Google account for fuzz-testing@c.a.o > > > 2. Put the password for the account in the PMC private shared repo so > > > any PMC member can access these reports. > > > > > > > If the dashboard doesn't support groups then maybe this is the only way. > > Otherwise I think it would be very nice if we could use ASF committer > info > > or possibly github info since that often has mirrored groups of our > > internal organizational structure. > > > > > > > 3. Get Roman to add this account to the JXPath oss-fuzz project and the > > > projects for any other Commons components they have set up > > > > > > > Maybe it makes sense to group all of the apache-commons-* projects under > > the general apache-commons module at > > https://github.com/google/oss-fuzz/tree/master/projects/ > > That module is the one that was initially set up, including compress and > > imaging as mentioned by Matt S upthread. > > > > > > > 4. Review the reports once we have access via fuzz-testing@c.a.o (I'll > > > volunteer to help with this as I have some experience from Tomcat which > > > should speed things up) > > > > > > > I would be happy to volunteer. > > > > > > > 5. Ask the ASF security to get all CVEs allocated by Google to Apache > > > Commons components transferred to the ASF (we can edit them once we > have > > > ownership) > > > 6. Ask the ASF security team to contact Google to make sure that Google > > > follows the CNA rules and stops allocating CVEs for projects outside of > > > its scope. > > > > > > If there is agreement to this approach, I'll volunteer to get the > things > > > on the list above done. Depending on the number of issues, I may be > > > asking for help with 4. > > > > > > Given this is all public, I don't see any need to use the > security@c.a.o > > > list unless we come across a valid, non-public issue. > > > > > > Mark > > > > > > > > > > > > On 11/10/2022 00:29, Roman Wagner wrote: > > > > Hi Bruno, hi Eric, > > > > > > > > I think we've just missed the discussion that you want to get > > > notifications > > > > about Bug reports for all apache-commons projects integrated in > oss-fuzz. > > > > For that reason, we have tried to reach to the projects maintainers > via > > > > public issues for every new project during the onboarding. Since we > are > > > not > > > > focusing only on apache commons software we are not familiar with > your > > > > internal process, however we are flexible to adopt. We are very > > > interested > > > > in any collaboration with maintainers if we are able to reach them. > From > > > > your discussion I suggest that we first of all give you access to all > > > those > > > > projects and later on merge those different oss-fuzz projects into > one > > > > project. Which email addresses should we add? In appache-commons > there > > > are > > > > the following four: > > > > > > > > - fuzz-test...@commons.apache.org > > > > - brunodepau...@gmail.com > > > > - peteralfred...@gmail.com > > > > - boa...@gmail.com > > > > > > > > Should I add all of them? Should I add any additional mail address? > > > > > > > > Best regards > > > > Roman > > > > > > > > On Tue, Oct 11, 2022 at 12:13 AM Bruno Kinoshita <ki...@apache.org> > > > wrote: > > > > > > > >> Hi Matt, > > > >> > > > >> I don't think this fuzz project should be making any of these issues > > > >>> public unless they plan to donate some developers to fix the > issues, > > > >>> too. This is an ASF project, not some Google-sponsored OSS project > > > >>> staffed with Google employees. > > > >>> > > > >> > > > >> I agree. This was the reason for the apache-commons project with a > > > >> different policy. > > > >> > > > >> In my opinion, the issue here is a company that profits from > security > > > >> testing services/software-as-service setting up oss-fuzz to send > > > >> notifications to their internal team. Even though they say they > tried to > > > >> communicate with us, a delay in having a response should not mean > they > > > must > > > >> make it public anyway. > > > >> > > > >> It would be fine (again, IMO) to bring those Commons components > under > > > the > > > >> apache-commons oss-fuzz project, and remove the existing projects > that > > > do > > > >> not notify anyone from the ASF. That way we would receive > notifications > > > and > > > >> could take some action to fix it. > > > >> > > > >> Bruno > > > >> > > > >> On Tue, 11 Oct 2022 at 10:57, Matt Sicker <bo...@gmail.com> wrote: > > > >> > > > >>> I don't think this fuzz project should be making any of these > issues > > > >>> public unless they plan to donate some developers to fix the > issues, > > > >>> too. This is an ASF project, not some Google-sponsored OSS project > > > >>> staffed with Google employees. > > > >>> > > > >>> On Mon, Oct 10, 2022 at 4:41 PM Bruno Kinoshita <ki...@apache.org> > > > >> wrote: > > > >>>> > > > >>>> The JIRA issue linked appears to be one of those reported based on > the > > > >>>> existing CVE's that were generated for jxpath. > > > >>>> > > > >>>> I opened the CVE, and the link is to an oss-fuzz bug indeed: > > > >>>> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 > > > >>>> > > > >>>> If you look at the left side bar, there is a list of people > notified > > > of > > > >>>> this issue. It should match what's in the project.yaml file I > linked > > > >>> above > > > >>>> in GitHub oss-fuzz repository. As far as I know, that OSS Fuzz > fuzzing > > > >>>> issue was reported to those parties, but unfortunately didn't > reach a > > > >>>> developer in commons able to work following our security process > to > > > >>> tackle > > > >>>> the issue and release a new version. > > > >>>> > > > >>>> -Bruno > > > >>>> > > > >>>> On Tue, 11 Oct 2022 at 10:36, Bruno Kinoshita <ki...@apache.org> > > > >> wrote: > > > >>>> > > > >>>>> Hi Eric, > > > >>>>> > > > >>>>> As far as I know, there is no integration between issues found in > OSS > > > >>> Fuzz > > > >>>>> and our JIRA. Issues reported in OSS Fuzz exist only there. And > > > >>> security > > > >>>>> issues shouldn't go to JIRA if possible (according to ASF's > security > > > >>>>> policies, I believe?). > > > >>>>> > > > >>>>> Here's the workflow I have been using for Commons Imaging: > > > >>>>> > > > >>>>> > > > >>>>> 1. View issues > > > >>>>> 1. Log in to oss-fuzz.com with my GitHub log in (there's > a > > > >>> Google > > > >>>>> one too). It recognizes that my email is authorized to > view > > > >>> oss-fuzz issues > > > >>>>> for the apache-commons project, so it shows the > “Testcases” > > > >> with > > > >>> crashes > > > >>>>> for the fuzzer. OR > > > >>>>> 2. Get the direct link to a Testcase from an email from > > > >>>>> 2. Expand a Testcase > > > >>>>> 3. Read the Stacktrace > > > >>>>> 4. Download the Unminimized Testcase - this is the payload > used > > > >> for > > > >>>>> testing, in the case of Imaging this is normally a PNG, GIF, > etc. > > > >>> image > > > >>>>> file that was automatically generated by the fuzzer > > > >>>>> 5. Test with Commons Imaging and other tools to validate the > > > issue > > > >>>>> (e.g. GIMP, exiftool, etc) > > > >>>>> 1. If I reproduce it locally, and identify as something > that > > > >>>>> doesn't need to be fixed (e.g. a file with a thumbnail > that > > > >>> wants to > > > >>>>> allocate 10GB of memory in a 2GB JVM/server) then I can > mark > > > >> the > > > >>> testcase > > > >>>>> as not security or fixed > > > >>>>> 2. If I reproduce it locally and the issue is indeed a > > > security > > > >>>>> issue, then I prepare a fix and work following the Apache > > > >>> Commons Security > > > >>>>> guidelines: https://commons.apache.org/security.html > > > >>>>> > > > >>>>> This way OSS Fuzz issues contribute positively to the project, > > > >>> identifying > > > >>>>> issues I or other maintainers wouldn't have picked otherwise. We > > > >>> follow the > > > >>>>> Commons and ASF security process as best as we can as volunteers > > > >> (i.e. > > > >>>>> within a time frame we can allocate to work on this issue) to fix > the > > > >>> issue > > > >>>>> and prepare a CVE if needed, cutting a new release. > > > >>>>> > > > >>>>> This is the complete process that I've used in Imaging. Not sure > if > > > >>> jxpath > > > >>>>> must follow the same process, but I guess it would be something > > > >>> similar, or > > > >>>>> at least according to Commons & ASF security guidelines and > > > >> processes. > > > >>>>> > > > >>>>> -Bruno > > > >>>>> > > > >>>>> > > > >>>>> On Tue, 11 Oct 2022 at 10:25, Eric Bresie <eb...@gmail.com> > wrote: > > > >>>>> > > > >>>>>> Or is that this > > > >>>>>> > > > >>> > > > >> > > > > > https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues > > > >>>>>> > > > >>>>>> Get Outlook for iOS<https://aka.ms/o0ukef> > > > >>>>>> ________________________________ > > > >>>>>> From: Eric Bresie <eb...@gmail.com> > > > >>>>>> Sent: Monday, October 10, 2022 4:22:42 PM > > > >>>>>> To: Commons Developers List <de...@commons.apache.org> > > > >>>>>> Subject: Re: [jxpath] reported CVE and path forward > > > >>>>>> > > > >>>>>> So then discussed here (1) (which assume is what’s being done > here) > > > >>> and > > > >>>>>> bugs raised here (2)? Has (2) been done yet? > > > >>>>>> > > > >>>>>> 1. > > > >>> https://commons.apache.org/proper/commons-jxpath/mail-lists.html > > > >>>>>> 2. > > > >>>>>> > > > >> > https://commons.apache.org/proper/commons-jxpath/issue-tracking.html > > > >>>>>> > > > >>>>>> > > > >>>>>> Get Outlook for iOS<https://aka.ms/o0ukef> > > > >>>>>> ________________________________ > > > >>>>>> From: Bruno Kinoshita <ki...@apache.org> > > > >>>>>> Sent: Monday, October 10, 2022 4:15:03 PM > > > >>>>>> To: Commons Developers List <de...@commons.apache.org> > > > >>>>>> Subject: Re: [jxpath] reported CVE and path forward > > > >>>>>> > > > >>>>>> Hi Eric, > > > >>>>>> > > > >>>>>> For my understanding, is oss-fuzz an open source project that is > > > >>>>>> maintained > > > >>>>>>> and managed by Google (and is not an Apache project) but is for > > > >>> “fuzz > > > >>>>>>> testing” with portion focused on Apache common products? > > > >>>>>>> > > > >>>>>> > > > >>>>>> That's my understanding too, although I am not sure if it is > > > >>> maintained > > > >>>>>> and > > > >>>>>> managed solely by Google. But you are correct in that oss-fuzz > is > > > >> not > > > >>> an > > > >>>>>> Apache project. It is an external service similar to GitHub > Actions, > > > >>>>>> Dependabot, Codecov, etc. > > > >>>>>> > > > >>>>>> So am I correct in saying run oss-fuzz against Apache-common, > which > > > >>> may > > > >>>>>>> find problems in commons. So any findings would be identified > as > > > >> a > > > >>> bug > > > >>>>>> and > > > >>>>>>> fix as applicable? > > > >>>>>>> > > > >>>>>> > > > >>>>>> That sounds correct to me. > > > >>>>>> > > > >>>>>> There is an apache-commons oss-fuzz project created in the > oss-fuzz > > > >>> GitHub > > > >>>>>> repository. That becomes a project in the oss-fuzz web system > which > > > >> I > > > >>> and > > > >>>>>> other ASF members have access to - anyone from ASF can request > > > >> access: > > > >>>>>> https://oss-fuzz.com > > > >>>>>> > > > >>>>>> It was created some time ago, and Commons Imaging was one of the > > > >> first > > > >>>>>> included. We (ASF Commons) were involved in setting up that > project, > > > >>> so > > > >>>>>> that someone from ASF would receive notifications (by being > CC'ed in > > > >>>>>> oss-fuzz notifications). We decided against using the dev-list, > so > > > >>> only > > > >>>>>> those that volunteered at the time receive emails. > > > >>>>>> > > > >>>>>> I checked the GitHub repository today, and found other Commons > > > >>> Components, > > > >>>>>> that are not part of the apache-commons project, and that have > the > > > >>>>>> notifications configured to emails of a security company. So in > this > > > >>> case > > > >>>>>> the findings in Commons repositories would be identified as a > bug > > > >> and > > > >>>>>> report to that company, without - as far as I can tell - > involvement > > > >>> of > > > >>>>>> ASF > > > >>>>>> Commons devs. > > > >>>>>> > > > >>>>>> Hope that clarifies, > > > >>>>>> > > > >>>>>> Bruno > > > >>>>>> > > > >>>>>> > > > >>>>>> On Tue, 11 Oct 2022 at 10:06, Eric Bresie <eb...@gmail.com> > > > >> wrote: > > > >>>>>> > > > >>>>>>> For my understanding, is oss-fuzz an open source project that > is > > > >>>>>>> maintained and managed by Google (and is not an Apache project) > > > >> but > > > >>> is > > > >>>>>> for > > > >>>>>>> “fuzz testing” with portion focused on Apache common products? > > > >>>>>>> > > > >>>>>>> So am I correct in saying run oss-fuzz against Apache-common, > > > >> which > > > >>> may > > > >>>>>>> find problems in commons. So any findings would be identified > as > > > >> a > > > >>> bug > > > >>>>>> and > > > >>>>>>> fix as applicable? > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> Get Outlook for iOS<https://aka.ms/o0ukef> > > > >>>>>>> ________________________________ > > > >>>>>>> From: Bruno Kinoshita <ki...@apache.org> > > > >>>>>>> Sent: Monday, October 10, 2022 3:51:30 PM > > > >>>>>>> To: Commons Developers List <de...@commons.apache.org> > > > >>>>>>> Subject: Re: Re: [jxpath] reported CVE and path forward > > > >>>>>>> > > > >>>>>>> Hi Matt, > > > >>>>>>> > > > >>>>>>> I am also subscribed to oss-fuzz for Imaging. > > > >>>>>>> > > > >>>>>>> Looks like someone added jxpath to oss-fuzz here: > > > >>>>>>> https://github.com/google/oss-fuzz/pull/7582 > > > >>>>>>> > > > >>>>>>> The initial oss-fuzz for ASF was, if I recall correctly, all > put > > > >>> under a > > > >>>>>>> single project: > > > >>>>>>> > > > >>> > https://github.com/google/oss-fuzz/tree/master/projects/apache-commons > > > >>>>>>> > > > >>>>>>> If you go one level higher in that repository link, you will > see > > > >>> there > > > >>>>>> are > > > >>>>>>> now other projects in oss-fuzz for other Commons components. > > > >>>>>>> > > > >>>>>>> The apache-commons project (that contains Imaging, Compress, > and > > > >>>>>> Geometry) > > > >>>>>>> had a custom policy, agreed in the mailing list and later with > > > >>> someone > > > >>>>>> that > > > >>>>>>> maintained oss-fuzz, where ASF issues were not disclosed in 90 > > > >>> days, but > > > >>>>>>> instead gave us more time to align the issues with our ASF > > > >> process. > > > >>>>>>> > > > >>>>>>> I am not sure if these other projects follow similar policy, > nor > > > >> if > > > >>> the > > > >>>>>> ASF > > > >>>>>>> developers are aware of the integration (I only keep an eye on > > > >>>>>>> compress/imaging/geometry notifications from the apache-commons > > > >>>>>> project). > > > >>>>>>> Also not sure whether it's better to have everything in a > single > > > >>>>>> project in > > > >>>>>>> oss-fuzz or in separate projects. I'm happy with Imaging being > a > > > >>> single > > > >>>>>>> oss-fuzz project if needed, but I prefer to keep the policy of > > > >>> giving a > > > >>>>>>> longer time to review the issues. I try to review important > issues > > > >>>>>> quickly, > > > >>>>>>> but the ones that I know are very low priority or won't be > fixed > > > >>> (e.g. > > > >>>>>> OOM) > > > >>>>>>> I leave for later. > > > >>>>>>> > > > >>>>>>> Cheers > > > >>>>>>> Bruno > > > >>>>>>> > > > >>>>>>> On Tue, 11 Oct 2022 at 09:01, Matt Sicker <bo...@gmail.com> > > > >> wrote: > > > >>>>>>> > > > >>>>>>>> I get emails about some of the Commons fuzzing things, but I > was > > > >>> only > > > >>>>>>>> aware of it being enabled for compress and imaging. > > > >>>>>>>> > > > >>>>>>>> On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner > > > >>>>>>>> <wa...@code-intelligence.com> wrote: > > > >>>>>>>>> > > > >>>>>>>>> Hi all, > > > >>>>>>>>> > > > >>>>>>>>> I am working for Code Intelligence we did our best to find a > > > >>>>>> maintainer > > > >>>>>>>> for > > > >>>>>>>>> the oss-fuzz project. Unfortunately we've got no feedback > > > >> until > > > >>> now, > > > >>>>>>> but > > > >>>>>>>> It > > > >>>>>>>>> seems to be an unmaintained project except for some typo > fixes > > > >>> since > > > >>>>>>> some > > > >>>>>>>>> years. I am not sure yet to which mailing list the bug report > > > >>> was > > > >>>>>> send > > > >>>>>>>> to, > > > >>>>>>>>> but I will check that information with the team. > > > >>>>>>>>> > > > >>>>>>>>> However, I am really happy that th > [message truncated...] > > -- > Dr. Khaled Yakdan > Co-Founder / Chief Scientist > Mobile: +491785866101 > > Code Intelligence GmbH > Rheinwerkallee 6 > D-53227 Bonn, Germany > https://www.code-intelligence.com > > Managing Directors: Sergej Dechand, Dr. Khaled Yakdan > Registered office and court of registry: Bonn, Germany, HRB 23408 > > Privacy policy: https://www.code-intelligence.com/privacy >
