oss-sec mailing list archives

Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Tue, 25 Jun 2019 09:51:02 -0500 (CDT)

On Tue, 25 Jun 2019, Matthew Fernandez wrote:

I’m probably telling you things you already know and it sounds likeyou don’t consider such issues worth addressing, but I just wantedto point out that these are not theoretical. These cause realproblems for users and, for open source software, you may not havefull control over what toolchain/flags users build your code with.

I think that almost all bugs are issues worth addressing givensufficent resources available to address them. The issue discussed iswhat proportion of bugs discovered via automated testing and claimedto be "security" issues based on computer analysis are exploitablevulnerabilities which deserve a CVE.

A good point has been made that Linux heap memory allocation behaviormay be very different than other OSs and that behavior can also behardware-specific.


Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Current thread:

Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz, (continued)
- - - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Seth Arnold (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Matthew Fernandez (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeff Law (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Pascal Cuoq (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeff Law (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeffrey Walton (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Florian Weimer (Jun 25)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Martin Carpenter (Jun 26)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
    - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz John Haxby (Jun 24)