Hi,
I checked the first one with the clones of term attributes: There is no
issue at all. It can't throw SecurityException in its super call: all
superclasses are known. When doing a deep clone, it may throw runtime
exceptions if the clone's original attribute is already broken, but this
is totally expected.
The TokenStream API is known to throw unexpected runtime exceptions when
the input text is broken, but IndexWriter and other classes can handle
that. So there's no issue or security risk.
About the issues: This cryptic report is not helpful. I read the
documentation of Google's Fuzzer but I am not willing to install
hundreds of tools to parse the attached binary file. If Google wants
this fixed, they should provide a bug report on the Lucene side and give
useful information why the issue they saw is an issues. I am not willing
to look into this without an explanation.
Uwe
Am 12.09.2025 um 21:53 schrieb Dawid Weiss:
Thank you David for taking the time to answer, please find below public
links to those Sonatype.
I hope it helps.
sonatype-2025-002050: https://issues.oss-fuzz.com/issues/403330010
sonatype-2025-002284: https://issues.oss-fuzz.com/issues/407477665
Thanks but it doesn't help at all - that was my point. These are just
some automated randomized injection tests that
nobody followed up on. I'm surprised Sonatype flags these as vulnerabilities.
Dawid
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
