oss-sec mailing list archives

Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

From: "Stuart D. Gathman" <stuart () gathman org>
Date: Mon, 24 Jun 2019 11:59:43 -0400 (EDT)

On Mon, 24 Jun 2019, Bob Friesenhahn wrote:

Most oss-fuzz issue detections are not CVE worthy. For example, a one-byteread "heap overflow" is not likely to cause any actual harm but oss-fuzzwould classify it as "heap overflow".


Nevertheless, it is a bug.  Fuzzers are amazing.  Going forward, the
best plan is for more projects to include fuzzing as part of the
build process testing.

Question: is fuzzing useful for languages like Java/python?  Obviously,

you eventually reach a native code module in both cases, but fuzzingthe entire virtual machine is cumbersome. Maybe native code libraries

for "safe" languages should include fuzzing as part of testing.

--
              Stuart D. Gathman <stuart () gathman org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

Current thread:

Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz, (continued)
- - - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alan Coopersmith (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Solar Designer (Jun 16)
  - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 16)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Solar Designer (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Robert Watson (Jun 17)
  - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 17)
  - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jakub Wilk (Jun 23)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Marcus Meissner (Jun 17)
  - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Dmitry Vyukov (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Stuart D. Gathman (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Matthew Fernandez (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Seth Arnold (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Matthew Fernandez (Jun 25)

(Thread continues...)