oss-security - Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 24 Jun 2019 11:59:43 -0400 (EDT)
From: "Stuart D. Gathman" <stuart@...hman.org>
To: oss-security@...ts.openwall.com
Subject: Re: Thousands of vulnerabilities, almost no CVEs:
 OSS-Fuzz

On Mon, 24 Jun 2019, Bob Friesenhahn wrote:

> Most oss-fuzz issue detections are not CVE worthy.  For example, a one-byte 
> read "heap overflow" is not likely to cause any actual harm but oss-fuzz 
> would classify it as "heap overflow".

Nevertheless, it is a bug.  Fuzzers are amazing.  Going forward, the
best plan is for more projects to include fuzzing as part of the
build process testing.

Question: is fuzzing useful for languages like Java/python?  Obviously,
you eventually reach a native code module in both cases, but fuzzing 
the entire virtual machine is cumbersome.  Maybe native code libraries
for "safe" languages should include fuzzing as part of testing.

-- 
 	      Stuart D. Gathman <stuart@...hman.org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.