oss-sec mailing list archives
Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Solar Designer <solar () openwall com>
Date: Sun, 16 Jun 2019 16:47:30 +0200
On Sat, Jun 15, 2019 at 11:49:03AM -0400, Alex Gaynor wrote:
A test of a random ImageMagick vulnerability against Ubuntu Xenial shows that it, indeed, continues to reproduce. This is in addition to the >100 security bugs OSS-Fuzz found and publicly disclosed due to hitting their disclosure deadline, and which still have not been fixed [3].
Some people have interpreted this as implying there are ">100 security bugs OSS-Fuzz found and publicly disclosed [...], and which still have not been fixed" specifically in ImageMagick. However, at the link you referenced there are currently "only" 38 bugs specifically in ImageMagick, with the rest of the >100 being in other projects:
[3]: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type%3DBug-Security+status%3ANew+label%3ADeadline-exceeded&colspec=ID+Type+Component+Status+Library+Reported+Summary+Modified&sort=-modified&groupby=&mode=grid&y=Proj&x=--&cells=ids&nobtn=Update
Alexander
Current thread:
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz, (continued)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Ian Zimmerman (Jun 21)
- Re: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alan Coopersmith (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Solar Designer (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 17)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jakub Wilk (Jun 23)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Dmitry Vyukov (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Stuart D. Gathman (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)