Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104853
Return-Path: <mike.php.net@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99906 invoked from network); 21 Mar 2019 16:57:53 -0000
Received: from unknown (HELO mail-wr1-f44.google.com) (209.85.221.44)
  by pb1.pair.com with SMTP; 21 Mar 2019 16:57:53 -0000
Received: by mail-wr1-f44.google.com with SMTP id p10so6706510wrq.1
        for <internals@lists.php.net>; Thu, 21 Mar 2019 06:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:subject:to:references:from:openpgp:autocrypt:message-id:date
         :user-agent:mime-version:in-reply-to;
        bh=yEPnW6t2W3cyCkUzz8thZy1XYsD8+y8XJMlWCJ5Dayw=;
        b=JQgVZQSWc6YDHhH3EDF5iUH1yxs+wD2WFe5GDb+/fq10nZVFRJ8TBhj6ETBoFXfp4p
         yTxpnTyt1baNQ/vzwecz3nBa06C6W2hTuT26PozibStTUfiLMwENT5OslSW2L0I3/YFu
         BuLwauec/8MKYJPySTI6n4D2o4xyr7WYiBr7abEy8eV0S6cYdC3c7sWemorTOlxED7Tc
         u0hhanSOYVkvdPgqddbDYtuyPjAP8ch30vXTrAjX04FFP802/AoKCU7VeeIDsVLZ2wLm
         1KfmBu6sEbqQMXxeQDE/zBs2w9mJ3yVFHIBXC/MD7qI6TMRGuXVf+838xKxu9exMNEDU
         zayg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:subject:to:references:from:openpgp
         :autocrypt:message-id:date:user-agent:mime-version:in-reply-to;
        bh=yEPnW6t2W3cyCkUzz8thZy1XYsD8+y8XJMlWCJ5Dayw=;
        b=Pk6LAdi3KSviM6xBn/o+KzDrgo13K3yn49ILvlvKjzCi6Boi+OO0C1RBJ0w0XnoHSk
         V3Ve2IFD4aUIkPctw3VUvg4cSjMRPswyUqdtpIqlSEIalMDjcO5mTjLFiXolUMWo6aOR
         8NFdC5mLWq/x5Sl45pl334uRjUgRjMc+KeEvz9CtOt2g6gRJHCYMcvtXAVT4DJt7JFON
         DlUzdnV5++4wqgkRwbIa2caSMqdxuifBrzKilJKclX+AvcJTOHj6WJJx+B+OXbSzzRm4
         6RSi+fj7GbEfnvBqC6gBLa5j9Xi2OsstuE/XJ2+TbRy494Z4j827f2toi3NS6F4+EMRi
         iyug==
X-Gm-Message-State: APjAAAUspnG2/4PGjB4sEydT/0lCKZX6NiHQbBU2hV5mbygiHlhylDNm
	6XIhGFvkBnHcSKX0G+jZNV0=
X-Google-Smtp-Source: APXvYqxlpn9OLP5PImx1l7dwHxD9OzhlTpYIyoSy3UAqWftggM0kjBh3XNBcnkspkL/jm9QPUEjQ5g==
X-Received: by 2002:a05:6000:14a:: with SMTP id r10mr2710685wrx.107.1553176201260;
        Thu, 21 Mar 2019 06:50:01 -0700 (PDT)
Received: from [192.168.2.11] ([194.106.241.122])
        by smtp.googlemail.com with ESMTPSA id j1sm6311416wme.4.2019.03.21.06.50.00
        (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 Mar 2019 06:50:00 -0700 (PDT)
Sender: Michael Wallner <mike.php.net@gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>,
 PHP Internals <internals@lists.php.net>, "security@php.net"
 <security@php.net>
References: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=mike@php.net; prefer-encrypt=mutual; keydata=
 mQENBFDcYVsBCADZmu3ac2q1H+Tz8S3XrNQGs+TBHRBpEsafPQBn6wpdMdJ/GDeSYxwoItoy
 jLWmg8cc45SWLYHzU3gkcSgljoivYnwbLbEZnCqE1V//oQYaMIAcQvO6nnGHWcFN6WyRl6wl
 3K866fYmwzE+H2JymjIY0YBdV7/oXDRUNrGaF7C7XAjY13sI0Uq8BV/q6J3e0xTQw+VAaf6X
 7mQvQjIgNipTe44ozVPEJSfNpUzPn2uV8ancWru6dmtm3fZZkGUcxNhXsVsEX7R1iHNWBuXS
 qsKmi5KViWbajg6juha/rbQd2b05PxJGH6ctGyMeU9ubJqIoVBpHeGyuGaizcv98686NABEB
 AAG0JU1pY2hhZWwgV2FsbG5lciAobTZ3NikgPG1pa2VAcGhwLm5ldD6JATcEEwEIACEFAla0
 mo8CGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQSA4+FLCkx8dRVAf/a1POvRGQnpIj
 hB6AplnFUx3GaIUlrTiUkZMyhftfk7Wgr3b+X4UitoVTaBm6Zsd8wPCwL2T5fD1B3QBq6N+G
 RscCzOq87Co6ZmrLApBTqv89MvF8sCGGuXhKpAClLbe9Un9GFunbrnJk21Q6AqJVeIFSYPQ/
 LmPaAJ3oFifdPyI8W8OFB5GnkH7JImvFr/vH90zm0rt5hSwdpuV5PxxbcCZkAuVw/8OZ+Zup
 WBqwo9keLTzaGuzLNtruP62OXuwKuaryw80eWfZn5SxI41NVjoSLfDeoBdFarFtQFJUyEEXp
 uA4LED/aYxKbvTIZxTn/zC2mrheKn5iLKmJQjVCz67kBDQRQ3GFbAQgAxmWfmElDtz7IzOOH
 TWl3/vLih1dARzgJSv62v2mkQwcb9UyMmM5ZDyYZw36ZFoSyrcDxUipWfLk3wiV9+dqOidBH
 aVVJ9Oub15FZE0i4wkHPColkvEGCrwxWBSLQouYet9YzeWR/CzODylUPNDOWWqyOAT+2A68t
 jbRIQDONJhrqJPY+DWZinEewE8FxAFgcjCPGG512vTPmbg7OnWGWs1oORTFerAMWyNfxYdph
 MVad8b0uLX3csUXF+XVCQcwEwxfmiuDDYULmqYcDskbnG1lDBfpEngRZIbQ4ml15jhocc4Sv
 QnPKtNqBX6k3PWd/qdjk5JG8X9vYZDrG11BewQARAQABiQEfBBgBAgAJBQJQ3GFbAhsMAAoJ
 EEgOPhSwpMfHtwYIALi5sLY7FO2oiTihyHLeJXleV+2uP69KgoZdhdp8M/wOAc6bGr3L2wEK
 lF1lcCJAZBqgm6rPX8HFWgiH8FIgJEaR2ecOt+FNLqR0DKXTm785dpjHxQFOGbVM2zK+BsD9
 Xnput34d9NcXhyOeABhi3eIJUATWY210OyC9siEGipBIK0eLnbFlaUOt83L75yn7TD58LSmh
 /Sp3GGFprmNL+5WrSyl1uy7bo+1qi4nOWikFL31lahQ4Zs73ST9GeTbd+wLDqSvHD/GP9Z8Y
 8jNw+niBhKOLvFFrP7EUTchqjR36xPosf/MnqdETRiaV9c+J762X7vzwFazSCbAZ5h8CIL4=
Message-ID: <420ce5d1-a64e-6578-11e3-851bc2ee0637@php.net>
Date: Thu, 21 Mar 2019 14:49:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="pnjbKENRTcEK2m5uZXuy9M2tbf4v4ONbz"
Subject: Re: [PHP-DEV] PHP on OSS-fuzz
From: mike@php.net (Michael Wallner)

--pnjbKENRTcEK2m5uZXuy9M2tbf4v4ONbz
Content-Type: multipart/mixed; boundary="AACBZ3mq9TtzbaYgyDE9x6WUPPY6bUlTJ";
 protected-headers="v1"
From: Michael Wallner <mike@php.net>
To: Stanislav Malyshev <smalyshev@gmail.com>,
 PHP Internals <internals@lists.php.net>, "security@php.net"
 <security@php.net>
Message-ID: <420ce5d1-a64e-6578-11e3-851bc2ee0637@php.net>
Subject: Re: [PHP-DEV] PHP on OSS-fuzz
References: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>
In-Reply-To: <a73c84cb-efe3-507e-1a0d-1967e1521e50@gmail.com>

--AACBZ3mq9TtzbaYgyDE9x6WUPPY6bUlTJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

Hey!

On 17/03/2019 22:23, Stanislav Malyshev wrote:
> Hi!
>=20
> Looking at the recent PHP security issues, it is clear that many of the=
m
> are stemming from corner cases in various format-parsing code, and most=

> of them either is or can be found by fuzzers.
>=20
> Thus, I've made an initial integration for PHP on OSS-fuzz project - a
> fuzzing engine for testing open source projects. PHP configuration sits=

> here:
> https://github.com/google/oss-fuzz/tree/master/projects/php

I followed the progress on github. Thanks for doing the work up front.

> and implementation of fuzzers is here:
> https://github.com/php/php-fuzzing-sapi
>=20
> So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
> also to add basic phar fuzzer soon. Everybody is welcome to add more
> fuzzers - with priority on ones that actually deal with third-party
> data, e.g. language parser fuzzer is not enabled right now, because
> people usually do not run random byte streams as PHP scripts on their
> servers. On the other hand, people do apply EXIF or gd functions to
> third-party data, so a vulnerability in that code would be high priorit=
y.
>=20
> That said, fuzzers can be run independently of OSS-Fuzz, so if you feel=

> inspired to add a fuzzer for any code please do so.
>=20

I hope I'll find time to try it out soon, thanks again!


--=20
Regards,
Mike


--AACBZ3mq9TtzbaYgyDE9x6WUPPY6bUlTJ--

--pnjbKENRTcEK2m5uZXuy9M2tbf4v4ONbz
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEHsPHHd1jWDGjN9aESA4+FLCkx8cFAlyTlocACgkQSA4+FLCk
x8f7jgf+KZwq7utF1agwtEjQFXBWBnSQt6qRW5cy93ddxuUZgJ52ZB1Gjg5B5WqK
dgqCdIT9SIlsdWApmpZ4CXtpK+l/WUku3D9Di7u7VWPfONcIRZS/kImKyky3tkLy
lsUXzaeoI9w+fE6mqs9akaa3Gf5lQEt+ixW0rqxgRusFfS57MN8KipC99eQndAym
vB7xIkX1QaJmvARaJheYhyzR8kljlEM6pkJFQm61RvJyXzvxpX1MWoTA/62uxZEq
9iXyJUYJrK0kYki2vSV73vFIg5kZClYyUW6Ptsl2z6htVBNYkhuptDqlO+KvzOjg
Am0StwMfpO24LFbziOhXAjt2TF0wYg==
=sv73
-----END PGP SIGNATURE-----

--pnjbKENRTcEK2m5uZXuy9M2tbf4v4ONbz--