You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Roman Wagner (Jira)" <ji...@apache.org> on 2022/10/10 14:26:00 UTC
[jira] [Comment Edited] (JXPATH-199) OSS-Fuzz Integration of JXPath
[ https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615136#comment-17615136 ]
Roman Wagner edited comment on JXPATH-199 at 10/10/22 2:25 PM:
---------------------------------------------------------------
Hi [~schlm3] ,
good hint. For clarification: All issues are still valid and are not fixed. Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157]) are a special case, because if the environment has changed and the jvm is using less stack memory the same crashing input will not lead to the crash anymore. Indeed, there was a change that decreased the stack memory usage of the fuzzer. Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer will be able to produce a new crashing input for the increased stack memory in a few seconds. That has already happened, but was not published by oss-fuzz yet since it tries to allow a responsible disclosure for all bugs, although it was the same issue. Some automation is still missing here, which definitively will be implemented in the future.
CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not verified as fixed since then.
was (Author: JIRAUSER288041):
Hi [~schlm3] ,
good hint. For clarification: All issues are still valid and are not fixed. Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157]) are a special case, because if the environment has changed and the jvm is using less stack memory the same crashing input will not lead to the crash anymore. Indeed, there was a change that decreased the stack memory usage of the fuzzer. Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer will be able to produce a new crashing input for the increased stack memory in a few seconds. That has already happened, but was not published by oss-fuzz yet since it tries to allow a responsible disclosure for all bugs.
CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not verified as fixed since then.
> OSS-Fuzz Integration of JXPath
> ------------------------------
>
> Key: JXPATH-199
> URL: https://issues.apache.org/jira/browse/JXPATH-199
> Project: Commons JXPath
> Issue Type: Improvement
> Reporter: Roman Wagner
> Priority: Major
>
> Hi all,
> I have prepared the initial integration [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8] of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This will enable continuous fuzzing of this project, which will be conducted by Google. Bugs that will be found by fuzzing will be reported to you. After the initial integration of this project into oss-fuzz, I will continue to add additional fuzz tests to improve the code coverage over time.
> The integration requires a primary contact, someone to deal with the bug reports submitted by oss-fuzz. The email address needs to belong to an established project committer and be associated with a Google account as per [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/]. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person can be included. Please let me know who I should include, if anyone.
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM. Jazzer has already found several bugs in JVM applications: [Jazzer Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings]
> Please let me know if you have any questions regarding fuzzing or the oss-fuzz integration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)