Oss-fuzz integration
Locked
 
|
Dear Digikam team,
I am a security engineer at Adalogics, and I have been fuzzing your software, Digikam in order to find bugs and vulnerabilities before attackers do. From a high level point of view fuzzing is a process of sending large amounts of pseudo random data to an application
and observe bug conditions. Your project would benefit from continuous fuzzing, and you could achieve that through integrating with Google OSS-fuzz project.
Integration of your project in OSS-fuzz means that Google runs our fuzzers on their infrastructure and sends you report of any bugs that it finds. You will receive these report automatically. The entire process is provided by Google free of charge, and the
only expectation from Googles side is that you fix the bugs that they find and report to you.
Let me know if you are interested in having Digikam fuzzed on the OSS-fuzz platform, and I will commit the fuzzer I have for Digikam and integrate it with the OSS-fuzz project.
Kind regards
Adam Korczynski
Security Engineer,
Adalogics, +447885484453
|
|
|
Hi Adam,
Thanks for your proposal. I know the fuzz process to inject random data stream in application components to see code quality. We plan to use this way in my office for certain libraries used internally. Maik, Perhaps we can make a try with digiKam, what do you think about this? Best Gilles Caulier Le jeu. 2 avr. 2020 à 03:54, Adam Korczynski <[hidden email]> a écrit : > > Dear Digikam team, > > I am a security engineer at Adalogics, and I have been fuzzing your software, Digikam in order to find bugs and vulnerabilities before attackers do. From a high level point of view fuzzing is a process of sending large amounts of pseudo random data to an application and observe bug conditions. Your project would benefit from continuous fuzzing, and you could achieve that through integrating with Google OSS-fuzz project. > > Integration of your project in OSS-fuzz means that Google runs our fuzzers on their infrastructure and sends you report of any bugs that it finds. You will receive these report automatically. The entire process is provided by Google free of charge, and the only expectation from Googles side is that you fix the bugs that they find and report to you. > > Let me know if you are interested in having Digikam fuzzed on the OSS-fuzz platform, and I will commit the fuzzer I have for Digikam and integrate it with the OSS-fuzz project. > > Kind regards > Adam Korczynski > Security Engineer, Adalogics, +447885484453 |
|
|
Yes why not. Ok, we have to close all bugs, says Google. What about software
over which we have less influence, e.g. if the problem is in external libraries? Maik Am Donnerstag, 2. April 2020, 10:04:25 CEST schrieb Gilles Caulier: > Hi Adam, > > Thanks for your proposal. I know the fuzz process to inject random > data stream in application components to see code quality. We plan to > use this way in my office for certain libraries used internally. > > Maik, > > Perhaps we can make a try with digiKam, what do you think about this? > > Best > > Gilles Caulier > > Le jeu. 2 avr. 2020 à 03:54, Adam Korczynski <[hidden email]> a écrit : > > Dear Digikam team, > > > > I am a security engineer at Adalogics, and I have been fuzzing your > > software, Digikam in order to find bugs and vulnerabilities before > > attackers do. From a high level point of view fuzzing is a process of > > sending large amounts of pseudo random data to an application and observe > > bug conditions. Your project would benefit from continuous fuzzing, and > > you could achieve that through integrating with Google OSS-fuzz project. > > > > Integration of your project in OSS-fuzz means that Google runs our fuzzers > > on their infrastructure and sends you report of any bugs that it finds. > > You will receive these report automatically. The entire process is > > provided by Google free of charge, and the only expectation from Googles > > side is that you fix the bugs that they find and report to you. > > > > Let me know if you are interested in having Digikam fuzzed on the OSS-fuzz > > platform, and I will commit the fuzzer I have for Digikam and integrate > > it with the OSS-fuzz project. > > > > Kind regards > > Adam Korczynski > > Security Engineer, Adalogics, +447885484453 |
|
|
Maik,
I know that libraw already use fuzzy test. I also seen that Exiv2 plan or already use this kind of test (i'm not sure). For the rest i don't know. I can be very important that Qt5 and KF5 library follow the same fuzzy test in the CI. But i don"t know exactly. Gilles Le jeu. 2 avr. 2020 à 19:32, Maik Qualmann <[hidden email]> a écrit : > > Yes why not. Ok, we have to close all bugs, says Google. What about software > over which we have less influence, e.g. if the problem is in external > libraries? > > Maik > > Am Donnerstag, 2. April 2020, 10:04:25 CEST schrieb Gilles Caulier: > > Hi Adam, > > > > Thanks for your proposal. I know the fuzz process to inject random > > data stream in application components to see code quality. We plan to > > use this way in my office for certain libraries used internally. > > > > Maik, > > > > Perhaps we can make a try with digiKam, what do you think about this? > > > > Best > > > > Gilles Caulier > > > > Le jeu. 2 avr. 2020 à 03:54, Adam Korczynski <[hidden email]> a écrit : > > > Dear Digikam team, > > > > > > I am a security engineer at Adalogics, and I have been fuzzing your > > > software, Digikam in order to find bugs and vulnerabilities before > > > attackers do. From a high level point of view fuzzing is a process of > > > sending large amounts of pseudo random data to an application and observe > > > bug conditions. Your project would benefit from continuous fuzzing, and > > > you could achieve that through integrating with Google OSS-fuzz project. > > > > > > Integration of your project in OSS-fuzz means that Google runs our fuzzers > > > on their infrastructure and sends you report of any bugs that it finds. > > > You will receive these report automatically. The entire process is > > > provided by Google free of charge, and the only expectation from Googles > > > side is that you fix the bugs that they find and report to you. > > > > > > Let me know if you are interested in having Digikam fuzzed on the OSS-fuzz > > > platform, and I will commit the fuzzer I have for Digikam and integrate > > > it with the OSS-fuzz project. > > > > > > Kind regards > > > Adam Korczynski > > > Security Engineer, Adalogics, +447885484453 > > > > |
«
Return to digikam-devel
|
1 view|%1 views
| Free forum by Nabble | Edit this page |