Comments (4)
DavidKorczynski
commented on June 2, 2024
I don't think this is an OSS-Fuzz issue as such because it seems specific to the upx-project integration (i.e. the build.sh is considered to be owned by the upstream project from an OSS-Fuzz perspective). It seems as a consequence of the integration being carried out by a 3rd party security researcher, similarly to described here: #11537 (comment)
Is there any chance you will be able to maintain the logic in https://github.com/google/oss-fuzz/tree/master/projects/upx @jreiser ? We could e.g. move as much logic as possible to upstream UPX so that you have direct access to adjusting the build/fuzz logic.
from oss-fuzz.
jreiser
commented on June 2, 2024
On 4/9/24 16:19, DavidKorczynski wrote:
I don't think this is an OSS-Fuzz issue as such because it seems
specific to the upx-project integration (i.e. the |build.sh| is
considered to be owned by the upstream project from an OSS-Fuzz
perspective). It seems as a consequence of the integration being carried
out by a 3rd party security researcher, similarly to described here:
#11537 (comment)
<#11537 (comment)>
Is there any chance you will be able to maintain the logic in
https://github.com/google/oss-fuzz/tree/master/projects/upx
<https://github.com/google/oss-fuzz/tree/master/projects/upx> @jreiser
<https://github.com/jreiser> ? We could e.g. move as much logic as
possible to upstream UPX so that you have direct access to adjusting the
build/fuzz logic.
Yes. Please give me commit access to the git source for
https://github.com/google/oss-fuzz/blob/master/projects/upx/build.sh
so that I can remove (beginning at line 18):
# Temporary fix for clang bug of upx
sed -i 's/ \&\& __clang_major__ < 15//m' /src/upx/src/util/util.cpp
git apply $SRC/upx/fuzzers/build.patch
which is no longer applicable, and fix other similar problems soonest.
I am displeased that so far it has taken 6 weeks to perform effective
**triage** on this issue, instead of a couple days or less.
The directions given to me said "file a bug report at OSS-fuzz"
if there are issues with fuzzing. OSS-fuzz dropped the ball by
not immediately re-directing my report to someone who could fix it
or enlist my help to get further information. LeviathanSecurity
dropped the ball by not monitoring its fuzzing projects daily.
Technology projects actually require **management**.
…--
John
—
Reply to this email directly, view it on GitHub
<#11639 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFC7ZTIZMUPHMFWOCZAMG6LY4RZRPAVCNFSM6AAAAABD2QQVIKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBWGE4DQMZSGA>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from oss-fuzz.
jonathanmetzman
commented on June 2, 2024
Sorry this has been getting slow replies.
You can just submit a pull request to change https://github.com/google/oss-fuzz/blob/master/projects/upx/build.sh and we will merge it. If that seems too bureaucratic for you, you can change the dockerfile to use a build.sh from the upx repo.
from oss-fuzz.
jreiser
commented on June 2, 2024
Please approve and apply Pull Request:
#11896
…--
John
On 5/2/24 12:43, jonathanmetzman wrote:
Sorry this has been getting slow replies.
You can just submit a pull request to change
https://github.com/google/oss-fuzz/blob/master/projects/upx/build.sh
<https://github.com/google/oss-fuzz/blob/master/projects/upx/build.sh>
and we will merge it. If that seems too bureaucratic for you, you can
change the dockerfile to use a build.sh from the upx repo.
—
Reply to this email directly, view it on GitHub
<#11639 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFC7ZTPRETZZU323SN3UZ4DZAKJMTAVCNFSM6AAAAABD2QQVIKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJRGQYTSNBXGM>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from oss-fuzz.
Related Issues (20)
- Timeout issue was incorrectly closed HOT 2
- Regression range should include OSS-Fuzz infrastructure changes HOT 4
- jcc: panic in CorrectMissingHeaders(), trying to copy a file that does not exist
- Fuzz targets seem to have started failing under MSan on CIFuzz HOT 16
- Improve OSS-Fuzz build status page HOT 2
- jcc: remove C-specific `-std=` flags when trying to compile as C++.
- Squash MSAN false positives HOT 9
- Project owners need some way to mark bugs as false positives HOT 3
- Understanding inconsistent coverage reports HOT 5
- Project owners need some way to adjust severity of OSS-Fuzz reports
- Better pre-commit monitoring for MSan false positives
- Minimizing timeout test cases HOT 2
- mpv: Runners seems to be stuck HOT 4
- Centipede not enabled by default on ClusterFuzz HOT 1
- Include total line information in summary.json for JVM HOT 2
- [RFC] Introducing Ruby Support to OSS-Fuzz via Ruzzy HOT 1
- Suggestion to add a note in documentation about LLVMFuzzerTestOneInput return value support by Honggfuzz.
- Suricata fixed bug does not get closed
- abseil/absl missing from Docker image when trying to use FUZZ_TEST icw autotools HOT 2
- Is OSS-fuzz wasting its time? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oss-fuzz.