Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 16 Jun 2019 16:47:30 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

On Sat, Jun 15, 2019 at 11:49:03AM -0400, Alex Gaynor wrote:
> A test of a random ImageMagick vulnerability against Ubuntu Xenial shows
> that it, indeed, continues to reproduce.
> 
> This is in addition to the >100 security bugs OSS-Fuzz found and publicly
> disclosed due to hitting their disclosure deadline, and which still have
> not been fixed [3].

Some people have interpreted this as implying there are ">100 security
bugs OSS-Fuzz found and publicly disclosed [...], and which still have
not been fixed" specifically in ImageMagick.  However, at the link you
referenced there are currently "only" 38 bugs specifically in
ImageMagick, with the rest of the >100 being in other projects:

> [3]:
> https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type%3DBug-Security+status%3ANew+label%3ADeadline-exceeded&colspec=ID+Type+Component+Status+Library+Reported+Summary+Modified&sort=-modified&groupby=&mode=grid&y=Proj&x=--&cells=ids&nobtn=Update

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.