cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

fix: triage and create issues for fuzzer findings (April 2024 edition)

Open terriko opened this issue 10 months ago • 5 comments

  • related: #3800

We've added a bunch of new fuzzers so it's time to go through our fuzzing findings again!

You can see the jobs that ran here: https://github.com/intel/cve-bin-tool/actions/workflows/fuzzing.yml

The ones of interest here are likely the ones that failed in less than an hour (all of our fuzzing jobs give up after an hour and will be marked as failed by github actions as a result).

Steps:

  1. Find a fuzzer run with an interesting failure in the list: https://github.com/intel/cve-bin-tool/actions/workflows/fuzzing.yml
  2. File an issue with an appropriate snippet of the log showing what the failure was. (We don't have a fuzz issue template yet, but you can use a bug template or a blank one.)
  3. (Optional) Make a PR to fix the issue.

Since a lot of these fuzzers are pretty new, I expect a lot of the issues found will be fairly basic data validation issues right now, but you never know -- you might find a real security issue!

terriko avatar Apr 17 '24 23:04 terriko

Hello @terriko I would like to take this up.

joydeep049 avatar Apr 18 '24 04:04 joydeep049

@joydeep049 have fun! there's enough interesting-looking stuff in there at a glance that probably more than one person could work on this, so you might wnat to file an issue saying which one you're investigating as described above.

terriko avatar Apr 18 '24 15:04 terriko

@terriko You're right this is so much fun! I already filed some issues related to it!

joydeep049 avatar Apr 18 '24 18:04 joydeep049

20 04 2024_15 59 24_REC This is another problem that I encountered while analysing fuzz report https://github.com/intel/cve-bin-tool/actions/runs/7955755310 Is this one worth filing? Because this problem wasnt encountered in any other report. Network Issue maybe??? @terriko @anthonyharrison

joydeep049 avatar Apr 20 '24 10:04 joydeep049

20 04 2024_16 01 46_REC This UNABLE TO OPEN DATABASE problem occurred in a few reports. Source: https://github.com/intel/cve-bin-tool/actions/runs/7780736331 Is this also a network error or something worth looking at? @terriko @anthonyharrison

joydeep049 avatar Apr 20 '24 10:04 joydeep049

We're currently caught up on fuzzer results, but some of that was because an upgrade had broken what we were doing. The fix in #4312 should have us getting new results soon, but I'm going to close this and open a new issue to revisit things in September 2024 when at least a few of the fuzzers have run again.

terriko avatar Aug 08 '24 20:08 terriko