Hi,
Maybe the issue is about the following, but I have no idea how Fuzzing
can create that! There may be an issue if people provide a custom
subclass of CharTermAttributeImpl (which is not fianl in contrast to the
other attributes), but this may be fixed by making the
CharTermAttributeImpl class sealed (there are mayn other classes we may
need to change to sealed) - but not for security reasons, more to help
Hotspot optimize (to explicitely tell it that there are no
The other attributes are already final, just CharTermATtributeImpl is
not, because there's a subclass. I can provide a PR for that. I have a
few plans to make further classes sealed (e.g., MemorySegmentIndexInput
is abstract but should only have 2 sublcasses, so it can be sealed, too
- it's not critical there as it's package protected, but for Hotspot it
may help).
Uwe
Am 14.09.2025 um 16:01 schrieb Uwe Schindler:
Hi,
I checked the first one with the clones of term attributes: There is
no issue at all. It can't throw SecurityException in its super call:
all superclasses are known. When doing a deep clone, it may throw
runtime exceptions if the clone's original attribute is already
broken, but this is totally expected.
The TokenStream API is known to throw unexpected runtime exceptions
when the input text is broken, but IndexWriter and other classes can
handle that. So there's no issue or security risk.
About the issues: This cryptic report is not helpful. I read the
documentation of Google's Fuzzer but I am not willing to install
hundreds of tools to parse the attached binary file. If Google wants
this fixed, they should provide a bug report on the Lucene side and
give useful information why the issue they saw is an issues. I am not
willing to look into this without an explanation.
Uwe
Am 12.09.2025 um 21:53 schrieb Dawid Weiss:
Thank you David for taking the time to answer, please find below public
links to those Sonatype.
I hope it helps.
sonatype-2025-002050: https://issues.oss-fuzz.com/issues/403330010
sonatype-2025-002284: https://issues.oss-fuzz.com/issues/407477665
Thanks but it doesn't help at all - that was my point. These are just
some automated randomized injection tests that
nobody followed up on. I'm surprised Sonatype flags these as
vulnerabilities.
Dawid
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
