Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: triage and create issues for fuzzer findings (April 2024 edition) #4045

Closed
terriko opened this issue Apr 17, 2024 · 6 comments
Closed

fix: triage and create issues for fuzzer findings (April 2024 edition) #4045

terriko opened this issue Apr 17, 2024 · 6 comments
Labels
security public security-related issues.
Milestone
3.4

Comments

@terriko
Copy link
Contributor

terriko commented Apr 17, 2024

We've added a bunch of new fuzzers so it's time to go through our fuzzing findings again!

You can see the jobs that ran here:
https://github.com/intel/cve-bin-tool/actions/workflows/fuzzing.yml

The ones of interest here are likely the ones that failed in less than an hour (all of our fuzzing jobs give up after an hour and will be marked as failed by github actions as a result).

Steps:

  1. Find a fuzzer run with an interesting failure in the list: https://github.com/intel/cve-bin-tool/actions/workflows/fuzzing.yml
  2. File an issue with an appropriate snippet of the log showing what the failure was. (We don't have a fuzz issue template yet, but you can use a bug template or a blank one.)
  3. (Optional) Make a PR to fix the issue.

Since a lot of these fuzzers are pretty new, I expect a lot of the issues found will be fairly basic data validation issues right now, but you never know -- you might find a real security issue!
@terriko terriko added the security public security-related issues. label Apr 17, 2024
@terriko terriko added this to the 3.3.1 milestone Apr 17, 2024
@joydeep049
Copy link
Contributor

Hello @terriko
I would like to take this up.

@terriko
Copy link
Contributor Author

terriko commented Apr 18, 2024

@joydeep049 have fun! there's enough interesting-looking stuff in there at a glance that probably more than one person could work on this, so you might wnat to file an issue saying which one you're investigating as described above.

@joydeep049
Copy link
Contributor

@terriko You're right this is so much fun!
I already filed some issues related to it!

This was referenced Apr 18, 2024
Closed
Closed
Open
@joydeep049
Copy link
Contributor

20 04 2024_15 59 24_REC
This is another problem that I encountered while analysing fuzz report https://github.com/intel/cve-bin-tool/actions/runs/7955755310
Is this one worth filing? Because this problem wasnt encountered in any other report.
Network Issue maybe???
@terriko @anthonyharrison

@joydeep049
Copy link
Contributor

20 04 2024_16 01 46_REC
This UNABLE TO OPEN DATABASE problem occurred in a few reports.
Source: https://github.com/intel/cve-bin-tool/actions/runs/7780736331
Is this also a network error or something worth looking at?
@terriko @anthonyharrison

@terriko terriko mentioned this issue Jul 16, 2024
Open
@terriko
Copy link
Contributor Author

terriko commented Aug 8, 2024

We're currently caught up on fuzzer results, but some of that was because an upgrade had broken what we were doing. The fix in #4312 should have us getting new results soon, but I'm going to close this and open a new issue to revisit things in September 2024 when at least a few of the fuzzers have run again.

@terriko terriko closed this as completed Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security public security-related issues.
Projects
None yet
Milestone
3.4
Development

No branches or pull requests
2 participants
@terriko @joydeep049