New OSS-Fuzz Findings in Jettison
Closed this issue · 10 comments
Dear Jettison maintainers,
Multiple bugs were found during fuzzing by Jazzer in Jettison, for example [Out of memory and Stackoverflow]. We would like to provide you with access to the bugs at Google OSS-Fuzz before they get publicly disclosed.
What do we need from you?
We need an email address that is associated with a Google Account as per Accepting new projects. In the past we have already contacted you during the onboarding of your project, but the request was rejected or no email was shared with us.
What do you get by sharing your email address?
When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. Each finding will have a crashing input that you can use to easily reproduce the bug.
Attention: All bug details will be made public automatically after the deadline of 90 days has exceeded or after the fix is released. For projects without maintainers we will do our best to support the disclosure process. Depending on our resources we will try to create an issues for every bug in your public issues tracker. In addition, we will request CVEs for security related vulnerabilities.
Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.
Thank you for your reading and hope to hear from you soon!
Dear Jettison maintainers,
this is a friendly reminder, are you guys interested in onboarding to the OSS-Fuzz platform?
If we can not get maintainers from your project we will do our best to disclose issues to the community, and also request CVEs for security related vulnerabilities.
Thank you and hope to hear from you soon!
@henryrneh will the bug details be made open to the community?
Yes, if the issue is fixed or exceed 90 days limit it will be released to community
For now there are 2 issues opened for Jettison
CVE-2022-40149
Stackoverflow
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
CVE-2022-40150
Out of memory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
The crashing input and stacktrace can be found in the link
Hi @henryrneh , Jettison 1.5.1 is now released which should have fixes for both these findings. Is it possible for you to validate the fixes please?
Hello @coheigea ,
The Stackoverflow issue CVE-2022-40149 has been fixed by Jettison 1.5.1.
But the Out of Memory issue CVE-2022-40150 is still not fixed with the newest release of Jettison.
If you would like to have the reproducer for the out of memory issue please let me know, thanks.
Hi @henryrneh , yes can you share it with me please? I fixed two test-cases for 1.5.1 that caused OOM as can be seen in https://github.com/jettison-json/jettison/pull/49/files
Thank you for your fixes.
This is the zip for reproducing this issue, please have a look and let me know if you have any questions.
Hi @henryrneh , we've released 1.5.2 - can you try your testcase again with this release please?
Dear @coheigea, I was on a long vacation and just had time now to check recently. I verified with jettison's master branch and it looks like this issue is fixed. I will request to update the fixed version field for CVE-2022-40149 and CVE-2022-40150. Thank you for the quick fixes and feedback!
Thanks @henryrneh for confirming