[
https://issues.apache.org/jira/browse/JXPATH-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615136#comment-17615136
]
Roman Wagner edited comment on JXPATH-199 at 10/10/22 2:26 PM:
---------------------------------------------------------------
Hi [~schlm3] ,
That's a good hint. For clarification: All issues are still valid and are not
fixed. Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157])
are a special case, because if the environment has changed and the jvm is using
less stack memory the same crashing input will not lead to the crash anymore.
Indeed, there was a change that decreased the stack memory usage of the fuzzer.
Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer
will be able to produce a new crashing input for the increased stack memory in
a few seconds. That has already happened, but was not published by oss-fuzz yet
since it tries to allow a responsible disclosure for all bugs, although it was
the same issue. Some automation is still missing here, which definitively will
be implemented in the future.
CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not
fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not
verified as fixed since then.
was (Author: JIRAUSER288041):
Hi [~schlm3] ,
good hint. For clarification: All issues are still valid and are not fixed.
Stackoverflows (e.g. [https://nvd.nist.gov/vuln/detail/CVE-2022-40157]) are a
special case, because if the environment has changed and the jvm is using less
stack memory the same crashing input will not lead to the crash anymore.
Indeed, there was a change that decreased the stack memory usage of the fuzzer.
Nevertheless, if the root cause of the stackoverflow is not fixed, the fuzzer
will be able to produce a new crashing input for the increased stack memory in
a few seconds. That has already happened, but was not published by oss-fuzz yet
since it tries to allow a responsible disclosure for all bugs, although it was
the same issue. Some automation is still missing here, which definitively will
be implemented in the future.
CVE-2022-40158 ([https://nvd.nist.gov/vuln/detail/CVE-2022-41852)] is still not
fixed and is also not marked as fix. It was re-opened in oss-fuzz and was not
verified as fixed since then.
> OSS-Fuzz Integration of JXPath
> ------------------------------
>
> Key: JXPATH-199
> URL: https://issues.apache.org/jira/browse/JXPATH-199
> Project: Commons JXPath
> Issue Type: Improvement
> Reporter: Roman Wagner
> Priority: Major
>
> Hi all,
> I have prepared the initial integration
> [https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/77378631c5593c7538193ecbff4f6edf8338ffe8]
> of JXPath into [google oss-fuzz|https://github.com/google/oss-fuzz]. This
> will enable continuous fuzzing of this project, which will be conducted by
> Google. Bugs that will be found by fuzzing will be reported to you. After the
> initial integration of this project into oss-fuzz, I will continue to add
> additional fuzz tests to improve the code coverage over time.
> The integration requires a primary contact, someone to deal with the bug
> reports submitted by oss-fuzz. The email address needs to belong to an
> established project committer and be associated with a Google account as per
> [here|https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/].
> When a bug is found, you will receive an email that will provide you with
> access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1
> person can be included. Please let me know who I should include, if anyone.
> [Jazzer|https://github.com/CodeIntelligenceTesting/jazzer] is used for
> fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for
> the JVM platform developed by Code Intelligence. It is based on libFuzzer and
> brings many of its instrumentation-powered mutation features to the JVM.
> Jazzer has already found several bugs in JVM applications: [Jazzer
> Findings|https://github.com/CodeIntelligenceTesting/jazzer#findings]
> Please let me know if you have any questions regarding fuzzing or the
> oss-fuzz integration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
