Report 32675 (CVE-2021-36087) found wrong commit as fix

google / oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.

https://google.github.io/oss-fuzz

Apache License 2.0

10.65k stars 2.25k forks source link

Report 32675 (CVE-2021-36087) found wrong commit as fix #5993

Closed jsegitz closed 3 years ago

jsegitz commented 3 years ago

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml lists https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac as fix, but that doesn't seem reasonable. I suspect that the fix for CVE-2021-36085/CVE-2021-36086 fixed this issue too and the bot went wrong somewhere

oliverchang commented 3 years ago

Yes something may have gone wrong with the bisection here. Would you be able to correct the commit via a PR for https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml?

evverx commented 3 years ago

On a somewhat unrelated note, looking at a bunch of CVEs pointing to OSS-Fuzz with descriptions with flattened backtraces copy-pasted from bug reports on Monorail and assigned at apparently the same time I wonder if the OSS-Fuzz project (or the OSV project) has started assigning CVEs automatically left and right?

oliverchang commented 3 years ago

On a somewhat unrelated note, looking at a bunch of CVEs pointing to OSS-Fuzz with descriptions with flattened backtraces copy-pasted from bug reports on Monorail and assigned at apparently the same time I wonder if the OSS-Fuzz project (or the OSV project) has started assigning CVEs automatically left and right?

Nope, not us :) someone else must be watching our oss-fuzz-vulns repo and doing this.

inferno-chromium commented 3 years ago

On a somewhat unrelated note, looking at a bunch of CVEs pointing to OSS-Fuzz with descriptions with flattened backtraces copy-pasted from bug reports on Monorail and assigned at apparently the same time I wonder if the OSS-Fuzz project (or the OSV project) has started assigning CVEs automatically left and right?

@evverx - can you please give us some examples. i am curious on who is helping the oss ecosystem with tracking cves.

evverx commented 3 years ago

@inferno-chromium I think one example of that script (or whatever that was) in action would be all the CVEs assigned to the selinux project on July 1st: https://nvd.nist.gov/vuln/detail/CVE-2021-36084 https://nvd.nist.gov/vuln/detail/CVE-2021-36085 https://nvd.nist.gov/vuln/detail/CVE-2021-36086 https://nvd.nist.gov/vuln/detail/CVE-2021-36087

I'm curious about who that was as well (mostly because I think that blindly assigning CVEs to all the issues OSS-Fuzz considers "vulnerabilities" isn't helpful)

oliverchang commented 3 years ago

A couple more here can be found here: https://github.com/CVEProject/cvelist/search?q=oss-fuzz-vulns (23 at time of writing).

jsegitz commented 3 years ago

Yes something may have gone wrong with the bisection here. Would you be able to correct the commit via a PR for https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml?

yes, I plan to work on this later this week and will submit there once I figured it out

jsegitz commented 3 years ago

https://github.com/google/oss-fuzz-vulns/pull/5 changes this to the correct commit