file - reporting potential security vulnerabilities

[inferno-chromium]

@zoulasc @rrthomas

Our OSS-Fuzz fuzzing effort (https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html) has located 3 security vulnerabilities in file using the fuzz target we developed.
https://clusterfuzz-external.appspot.com/v2/testcases?job=libfuzzer_asan_file&open=yes

These issue are now filed in security-protected monorail tracker and we'd like to find file developers to take a look at them.

We will CC developers on these issues to give them access to stack traces and reproducer data. For that we'd need an e-mail with associated google account. We will also set up the process to auto-CC these people when we find more issues.

Check out https://github.com/google/oss-fuzz/blob/master/projects/file/project.yaml and we can get your emails setup for easy access to those current testcases.

[zoulasc]

On Dec 19, 2:23pm, notifications@github.com (inferno-chromium) wrote: -- Subject: [google/oss-fuzz] file - reporting potential security vulnerabili | @zoulasc @rrthomas | | Our OSS-Fuzz fuzzing effort (https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html) has located 3 security vulnerabilities in file using the fuzz target we developed. | https://clusterfuzz-external.appspot.com/v2/testcases?job=libfuzzer_asan_file&open=yes | | These issue are now filed in security-protected monorail tracker and we'd like to find file developers to take a look at them. | | We will CC developers on these issues to give them access to stack traces and reproducer data. For that we'd need an e-mail with associated google account. We will also set up the process to auto-CC these people when we find more issues. | | Check out https://github.com/google/oss-fuzz/blob/master/projects/file/project.yaml and we can get your emails setup for easy access to those current testcases. | Hi, I am zoulasc@gmail.com christos

[inferno-chromium]

Ok @zoulasc updated your contact info in e6bf5e1

Also, gave your email access to current 3 security vulnerabilities - https://bugs.chromium.org/p/oss-fuzz/issues/list?can=2&q=libfuzzer_asan_file&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids. It will be great if you can please take a look or find an owner to fix these.

[zoulasc]

On Dec 19, 6:22pm, notifications@github.com (inferno-chromium) wrote: -- Subject: Re: [google/oss-fuzz] file - reporting potential security vulnera | Ok @zoulasc updated your contact info in e6bf5e1 | | Also, gave your email access to current 3 security vulnerabilities - https://bugs.chromium.org/p/oss-fuzz/issues/list?can=2&q=libfuzzer_asan_file&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids. It will be great if you can please take a look or find an owner to fix these. Thanks a lot; I believe I fixed both! christos

[inferno-chromium]

@zoulasc - thanks for fixing these quick. One of them is already closed as verified, and hopefully by tmrw we will another fresh build and ClusterFuzz confirms and closes the other two. So, these were 2 unique bugs and not 3 ?

[zoulasc]

On Dec 20, 5:47am, notifications@github.com (inferno-chromium) wrote: -- Subject: Re: [google/oss-fuzz] file - reporting potential security vulnera | @zoulasc - thanks for fixing these quick. One of them is already | closed as verified, and hopefully by tmrw we will another fresh | build and ClusterFuzz confirms and closes the other two. So, these | were 2 unique bugs and not 3 ? Yes, one was an off-by-one read on the hacky cdf unicode to ascii conversion and the other was a non-NUL terminated buffer passed to regexec(3). Send more :-) christos

[inferno-chromium]

@zoulasc - looks like the new build is failing on clang, any idea on fix :) ?
https://oss-fuzz-build-logs.storage.googleapis.com/build_logs/file/latest.txt

• clang++ -g -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters -stdlib=libc++ -std=c++11 -Isrc/ /src/magic_fuzzer.cc -o /out/magic_fuzzer -lFuzzingEngine ./src/.libs/libmagic.a
  ./src/.libs/libmagic.a(softmagic.o): In function magiccheck': /src/file/src/softmagic.c:(.text+0xc89c): undefined reference to __UNCONST'
  /src/file/src/softmagic.c:1891: undefined reference to `__UNCONST'
  clang-4.0: error: linker command failed with exit code 1 (use -v to see invocation)
• cp ./magic/magic.mgc /out/
  cp: cannot stat './magic/magic.mgc': No such file or directory

[inferno-chromium]

@zoulasc - your travis build failed as well - https://travis-ci.org/file/file/builds/185442142

[inferno-chromium]

Thanks for fix - file/file@8c16c9e.

[zoulasc]

On Dec 20, 5:58am, notifications@github.com (inferno-chromium) wrote: -- Subject: Re: [google/oss-fuzz] file - reporting potential security vulnera | @zoulasc - looks like the new build is failing on clang, any idea on fix :) ? | https://oss-fuzz-build-logs.storage.googleapis.com/build_logs/file/latest.txt Already fixed, thanks. Failed on !NetBSD :-) christos

[inferno-chromium]

@zoulasc - ok 2 out of 3 are fixed. https://clusterfuzz-external.appspot.com/v2/testcase-detail/5158914005925888 still reproduces on trunk, can you take a look.