jsnv-dev opened a new issue, #2431: URL: https://github.com/apache/orc/issues/2431
### Background Following the recent [CVE-2025-47436](https://orc.apache.org/security/CVE-2025-47436/) heap buffer overflow vulnerability discovery and fix, I would like to propose integrating Apache ORC with the [OSS-Fuzz project](https://github.com/google/oss-fuzz) to help identify potential security vulnerabilities earlier through continuous fuzzing. ### Apache Projects Already Using OSS-Fuzz Many Apache Software Foundation projects are already integrated with OSS-Fuzz, including: - apache-axis2 - apache-commons-bcel - apache-commons-beanutils - apache-commons-cli - apache-commons-codec - apache-commons-collections - apache-commons-compress - apache-commons-configuration - apache-commons-csv - apache-commons-fileupload - apache-commons-geometry - apache-commons-imaging - apache-commons-io - apache-commons-jxpath - apache-commons-lang - apache-commons-logging - apache-commons-math - apache-commons-net - apache-commons-text - apache-commons-validator - apache-cxf - apache-doris - apache-felix-dev - apache-httpd - apache-logging-log4cxx - apache-poi ### Integration I would prepare a pull request that adds: 1. Fuzzing harness to the Apache ORC repository 2. Integration configuration for the OSS-Fuzz project 3. Build scripts and related components This proposal was previously discussed via email with @dongjoon-hyun, who suggested opening this issue for formal documentation before proceeding with the integration work. I'm seeking formal approval from the Apache ORC PMC to proceed with the OSS-Fuzz integration. Once approved, I'll prepare the necessary pull requests for both the ORC and OSS-Fuzz repositories. Thanks a lot! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
