Git Product home page Git Product logo

oss-fuzz-vulns's Introduction

OSS-Fuzz vulnerabilities

This is a repo for recording disclosed OSS-Fuzz vulnerabilities, and acts as the source of truth for OSS-Fuzz vulnerabilities in OSV.

Each OSS-Fuzz vulnerability has precise impacted version and commit version information added by OSV.

Users may submit PRs to update any information here.

Format spec

The format is described here.

Automation

Vulnerabilities undergo automated bisection and repository analysis as part of OSV to determine the affected commit ranges and versions. They are then automatically imported in this repository.

Any user changes to vulnerability files in this repository will trigger a re-analysis by OSV within a few minutes ( example change, re-analysis).

OSV will also regularly recompute affected versions and detect cherry picks across different branches for each vulnerability (example).

OSV also provides an API to let users easily query this information.

Missing entries

An OSS-Fuzz vulnerability may be missing here for a few reasons.

The automated bisection failed

Sometimes the bisection is unable to resolve the introduced and fixed ranges to an acceptably small range. In these cases, we opt to keep the database higher quality and avoid showing such results by default.

Failure cases are recorded at the public GCS bucket gs://oss-fuzz-osv-vulns. You may use the script scripts/import.py to import any existing details about these failed vulnerabilities.

$ python scripts/import.py <oss-fuzz issue ID>

Any missing details may be filled in manually and submitted as part of a PR to this repo. See this example.

The bug was not marked as security by OSS-Fuzz

We only include bugs that are marked as security by OSS-Fuzz. If you are a project maintainer, you may edit the security flag on the corresponding testcase details page. Marking a bug as security will automatically cause it to be fed into OSV, if the bug is reliably reproducible.

Removing an entry

If a vulnerability in this repository is not considered a security vulnerability, it may be removed by submitting a PR to add a withdrawn field to the relevant entry.

oss-fuzz-vulns's People

Contributors

evverx avatar inferno-chromium avatar jsegitz avatar oliverchang avatar osv-robot avatar radarhere avatar rlohning avatar tbeu avatar tobiasbrunner avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

oss-fuzz-vulns's Issues

False Positive on arrow vs. pyarrow

I'm not sure where the right place is to raise this issue, but there is a fixed vulnerability incorrectly attributed to all version of the wrong package, arrow-py/arrow (arrow). The correct package is apache/arrow (pyarrow)

See the report of the false positive here: https://deps.dev/advisory/osv/OSV-2021-1565 which links from:

modified: '2022-04-13T03:04:32.061851Z'
published: '2021-11-12T00:00:22.286310Z'
references:
- type: REPORT
url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40902
affected:
- package:
name: arrow
ecosystem: OSS-Fuzz

In pyarrow, this vulnerability has already been fixed in: apache/arrow@3abab2e...641554b (linked from: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40902#c6)

Fixing commit from OSV-2021-237 seems wrong

Hi

- fixed: 0bd6877f480a84657696a80adc13f9c5485dd996

references a fixing commit which though only removes a documentation snipped. Unless my bisect done is wrong, then the following should be the fixing commit:

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25

git bisect start '--term-old' 'broken' '--term-new' 'fixed'
# broken: [45e765e59a45b46dcb05e8c729689a7c0574a48c] Fix some warnings caused by the gs FS api commit.
git bisect broken 45e765e59a45b46dcb05e8c729689a7c0574a48c
# fixed: [068172a75a11b6b26e25696eb49241e4ddf4fbc6] Dates and product string for 9.55.0 release
git bisect fixed 068172a75a11b6b26e25696eb49241e4ddf4fbc6
# broken: [35f6a9d9e2838069b5ba250cf26d016bc5ad3635] GPDL whitespace fixes.
git bisect broken 35f6a9d9e2838069b5ba250cf26d016bc5ad3635
# fixed: [331fcb49b62a615976711cccdd3ff9796152a323] Fix bug 703245: bitmap size exceeds buffer.
git bisect fixed 331fcb49b62a615976711cccdd3ff9796152a323
# broken: [3abfca2a925427962ed644872057f75c44afc0d8] Fix memory leak in pcl pdfmark implementation
git bisect broken 3abfca2a925427962ed644872057f75c44afc0d8
# broken: [fec1090d129630c23f425c6aae5a4a1308a973da] LGTM: Rejig s_A85E_process for goto's.
git bisect broken fec1090d129630c23f425c6aae5a4a1308a973da
# broken: [054d35268592bba2434dffdb3b36e4ad224adcf0] Guard against indirect /Length in an XRef stream
git bisect broken 054d35268592bba2434dffdb3b36e4ad224adcf0
# broken: [6f6c88f92f98d0f8340c29201c7536ec1a521efd] Sort tifftop.c dependency on jpeg headers
git bisect broken 6f6c88f92f98d0f8340c29201c7536ec1a521efd
# fixed: [0ca4ae94020a1e3b48c337759ccb9fc0b3af61ec] Bug 702910: Fix mkromfs for THREADSAFE build
git bisect fixed 0ca4ae94020a1e3b48c337759ccb9fc0b3af61ec
# broken: [b5e44d6709642727ee524cccd2b5ab09f2e48572] oss-fuzz 30795: handle remap_color failure in clist_begin_typed_image
git bisect broken b5e44d6709642727ee524cccd2b5ab09f2e48572
# fixed: [180419375973b9ce4664286a67106d712260ef7f] Remove .setpdfwrite from the documentation
git bisect fixed 180419375973b9ce4664286a67106d712260ef7f
# broken: [ea1624205c8e1ca936bd38a6095a0dd1880e7287] Fix hang condition detected on Windows release build.
git bisect broken ea1624205c8e1ca936bd38a6095a0dd1880e7287
# fixed: [7861fcad13c497728189feafb41cd57b5b50ea25] oss-fuzz 30715: Check stack limits after function evaluation.
git bisect fixed 7861fcad13c497728189feafb41cd57b5b50ea25
# first fixed commit: [7861fcad13c497728189feafb41cd57b5b50ea25] oss-fuzz 30715: Check stack limits after function evaluation.

Code of the automated bisection

Hi
I want to try something work containing the automated bisection to evalutaion,could you share the code of the automated bisection?
Thanks!

`scripts/import.py` fails to extract package names

It seems the script fails to extract package names from json entries from https://oss-fuzz-osv-vulns.storage.googleapis.com/issue/*.json:

Traceback (most recent call last):
  File "/home/vagrant/oss-fuzz-vulns/./scripts/import.py", line 54, in <module>
    main()
  File "/home/vagrant/oss-fuzz-vulns/./scripts/import.py", line 42, in main
    project_name = data['package']['name']
KeyError: 'package'

and it appears to have something to do with https://ossf.github.io/osv-schema/#change-log where package was moved to the affected array. I "fixed" it with

diff --git a/scripts/import.py b/scripts/import.py
index 9a982331..8d71f984 100644
--- a/scripts/import.py
+++ b/scripts/import.py
@@ -39,7 +39,7 @@ def main():
     return

   data = json.loads(data)
-  project_name = data['package']['name']
+  project_name = data['affected'][0]['package']['name']
   project_dir = os.path.join(_ROOT_DIR, 'vulns', project_name)
   os.makedirs(project_dir, exist_ok=True)
   vuln_path = os.path.join(project_dir, issue_id + '.yaml')

but as far as I understand in general it should iterate over the affected array and look for the OSS-Fuzz ecosystem somewhere along the way if schema_version is new enough or something like that.

OSV-2021-1549 fix commit is incorrect

The fix commit for OSV-2021-1549 seems to be incorrect. It claims the issue was fixed in google/gson@b0595c5.

Unfortunately I don't have access to the detailed OSS-Fuzz report, but when I run it locally I get a StackOverflowError which also seems to match what you might expect from the reproducer test case (large number of nested [).

I am not completely sure why OSS-Fuzz thought commit b0595c5 fixes this issue, because I am still seeing a StackOverflowError with that commit (unless my local OSS-Fuzz setup is incorrect). Maybe the changed line numbers in the stack trace (700 to 701) confused it. The real fix for this is most likely google/gson@2d01d6a, which also fixed similar OSS-Fuzz issues:

Removing entries

According to https://github.com/google/oss-fuzz-vulns#removing-an-entry

If a vulnerability in this repository is not considered a security vulnerability, it may be removed by submitting a PR to delete the corresponding files.

I think it should be possible to remove entries like that once and for all if necessary but given that links to OSV entries pop up in various places as soon as they end up in the OSV database I think it would be better to add the "withdrawn" field instead. My guess would be that it had been written before the "withdrawn" field was added to the specification.

OSV-2020-2324.yaml has incorrect introduced & fixed attributes

OSV-2020-2324.yaml has incorrect introduced & fixed attributes.

The original oss-fuzz Issue 21048 includes this information:

Regressed: https://oss-fuzz.com/revisions?job=honggfuzz_asan_libarchive&range=202003020328:202003030327
ClusterFuzz testcase 5688058864467968 is verified as fixed in https://oss-fuzz.com/revisions?job=honggfuzz_asan_libarchive&range=202003050329:202003060336

However, both of those links go to the same commit: f001f3b0e6a66a7eb989ed3783791c0316831202

Based on the commit message (and the dates of the oss-fuzz issue), the likely regression is this commit: d84ec3fbc21ff943b4c742ec141de30efc8bd769

This means this issue was a very short-lived regression, and it did not ever ship.

OSV-2021-557.yaml has incorrect fixed attribute

OSV-2021-557.yaml has incorrect fixed attribute.

TL;DR:

  • Change fixed commit to: 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
  • Remove 3.5.3 from the list of affected versions as it contains the fix.

Details:

Currently the fixed attribute claims this was resolved by this commit, which has nothing to do with libarchive: 56c920eab3352f7877ee0cf9e472c1ab376c7e3e

Based on some research, the actual fix was made in libarchive/libarchive#1491 which landed in: 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f

However, this fix was also cherry-picked to v3.5.3 in: 05591dd516aa454e6d37fc55a2facac5f91355eb

So v3.5.3 should also be removed from affected versions.

Finally, note that libarchive/libarchive#1492 and libarchive/libarchive#1493 are both closely related, and they were both cherry-picked into v3.5.3.

[uwebsockets] OSV-2021-453.yaml seems wrong

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2021-453.yaml

The version range is from v19 to v20.8. This makes no sense since the issue does not reproduce in v20.8. The fixed commit is not in master branch, it has been reset (probably because a better fix replaced it) yet OSS-Fuzz links to that commit and still considers latest version v20.8 broken.

I can't trigger the issue on OSS-Fuzz "dashboard" and now some other company has created an CVE which claims version v19 to v20.8 is broken with a high severity issue which is not the case.

How to fix this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.