jreiser
commented
2 hours ago The most recent build log is: https://oss-fuzz-build-logs.storage.googleapis.com/log-214a3b50-7a7b-484b-b2e9-a1276c80d68a.txt
and the patch that should be removed is: Step #3 - "compile-afl-address-x86_64": + sed -i 's/ \&\& __clang_major__ < 15//m' /src/upx/src/util/util.cpp Step #3 - "compile-afl-address-x86_64": + git apply /src/upx/fuzzers/build.patch Step #3 - "compile-afl-address-x86_64": error: patch failed: CMakeLists.txt:595 Step #3 - "compile-afl-address-x86_64": error: CMakeLists.txt: patch does not apply
https://issues.oss-fuzz.com/42533060 upx: Fuzzing build failure
The build has been failing for at least 9 months because of a stale patch in the build system for testing UPX that was necessary ten months ago (January 2024) but was obviated by changes to the UPX source by the developers of UPX. When the contract ended between OSTIP and Leviathan Security for exercising UPX using the cluster-fuzz apparatus, then Leviathan did not remove the then-stale patch, and the developers of UPX have no access to remove the patch. Worse still, the GitHub commit of the patch (and the URL of the cluster-fuzz [sub-]project for UPX) are not listed in the build log.
PLEASE remove the patch, or provide the URL and access permissions so that UPX developers can do so. Reminders by a robot build system that has no human oversight are annoying, and have created the strong impression that OSTIP (Open Source Technology Improvement Program) is merely a pest.