oss-sec mailing list archives
Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 15 Jun 2019 20:59:47 +0200
Hi Alex, I think what you're describing has been going on for a while, even before oss-fuzz. A combination of compiler sanitizers and better fuzzing techniques has scaled up bug finding and fixing to a level we haven't had before. For distributions that promise to backport all security fixes that creates a situation where it's almost impossible to keep that promise, they just don't have the manpower to scale up at the same speed as people find bugs. Maybe the main takeaway here is to just recognize that, and maybe distros should be more honest here and be clear what they can and can't do. And if you run a parser in a high risk environment you may not want to rely on the outdated version shipping in some LTS distribution. But I also think it's good to keep some perspective of the bugs we're talking about. Many of the bugs oss-fuzz finds are of bug classes where it's quite unlikely that they directly lead to a security issue (e.g. out of bounds memory reads - which asan controversially calls "overflows"). Even for the scarier looking vulns like write buffer overflows and use after free the situation is that these are usually not straightforward to exploit. All modern distributions have a combination of stack canaries, ASLR and nonexecutable memory. It's my understanding that while it's often possible to bypass those, doing so in non-scripting scenarios (e.g. in an image parser) is really hard and often impossible. I guess therefore it's still an overall win. While there's a number of bugs unfixed with public information, in the long term we'll get more robust code and the number of bugs present should be in steep decline. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Moritz Muehlenhoff (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Ian Zimmerman (Jun 21)
- Re: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alan Coopersmith (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Solar Designer (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 17)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jakub Wilk (Jun 23)