Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106005 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 63339 invoked from network); 20 Jun 2019 19:28:57 -0000 Received: from unknown (HELO mout.gmx.net) (212.227.15.19) by pb1.pair.com with SMTP; 20 Jun 2019 19:28:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1561049031; bh=zjgxQpBDAbx5NvNkiDxUDFpV4qohYlAn8odFl3gtCC8=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=ggmBJWjkK1WxCKu4B6KG0EnZF2+Hurq1ZDlE9I5sSBiqFPFHF7UDJ+1qoKeRYdmkX jAmsqA4ktmxLxXLxPPVKPupYPjlVijKjNhMyWCHDDjPVdjy5Qi1FM5+zxClUUjWQm2 fdtXD8PN+hMUVPKULlm5xP3W+nb0/8fISSrFDvdQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.144] ([79.222.32.25]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MHHdb-1hqJyn3G4J-00E51J; Thu, 20 Jun 2019 18:43:50 +0200 To: Nikita Popov , Stanislav Malyshev Cc: PHP Internals , "security@php.net" References: Message-ID: Date: Thu, 20 Jun 2019 18:43:51 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:/TfkoZCFTHo5BZn7K9slqqDG5E/E22aiF+mJ4ohmqmAwy1zaeus woEgetferUHWwQUBtr8q5unzm3WxFuVoJ88UYFiGFK4Yo07I5e6bZWCTEAGf2ySumNFgAz8 FVhzGeyYLZ+lqCK4cKoZCwfrv8azybSGCZrZMJy9PtNO3XfngQXFdQxV4xf9U7BW9KLgmRB 0141ZM17fHEVj/8uMTaQA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:DemlKVXMn1o=:PfozhVGvFIRhH42G+pYVDL aTa6Mf8LzCwqwztHtxRIJ8vSukgpew4YX3SdrVtkom4d9ugdoo4tDMJ3h0LkhCzqWvoqAHobx sK1FipKH91C54qAUmXquxyU+4+uaubvKlDIB4aRSDF4RC4xdECWuIhRf91JzaS6ABEFk4GYW3 449WguBDwJHkiVlwJualE979x2JbSCQD2rig9QuSGEnD3FXjtY4AyrwsoZPw8mNjXQuJgTJPI daC1td3uZSCmKiDoyUKXUC9X6pmRFYMWMwTddpaMqqubggWiq6hqOgcnlz7iUh3TwYuPD6xpF bNyhoi7vc5wliOXkVgKRAHjcNdtaG4yrH1zF8uW/OolQizmKRa6269uGMUAvtniB1Aikpcpoc xE9hLln8DkGYku54WBw/x+yFPZ9auMH1IiIA20fVsMPc2v3cBrI1I7ZUh5d2QGtB6N7dG5zkJ wIq9lE9dHgLo3RpqKeuL84wvvCdceRqpy9hsF3OFrPN7J9Qx21Jkv/it8eCq8N1uWaFiS2d0H 1LGpC+rGfcg0XTBZWnWpXUzXHlsz/QSPzN7dW0gBWiCCddFLbS9FcwCneP/Wq9l81XvjDiIJb 6YBMbVySKoEdu6Iel0bA6q//V8UISCi+Muzezdq2KeyOKeiubzw2RiHAI4LuuNYXOgeuKvILO GrJyMcRDc3uFwNWE1Cbvst3EPX9yw2NJw3Pm4SPM/EEd7OVzQ/leNkdpXhZivKgAmyj0e6nIz KirVtUs+JtWTT3mZefUzQuG7fFuylg0m87r+NQpuMN+Hhq1Jq9+oXWoTuT77Ad+WpoCrsNdit QeDtgkUm4d3Dx7Ap8SEJddd0fWcd616TsZBDb3mM+si/UStUoEU/DJoCt0j9XrXeJ3QK5c6uH b6lFR4zNOjO/cbd6cVutOo4gphU6cwZRjzLV2HUAmBuM5H38cGVfBOlWiSDUDDxt+pqM/Ynxv zUI/8oYcKqbHcLeuYpaYEXQXqbaC+pxIoU20xWh6yShwH0cqrDAeV Subject: Re: [PHP-DEV] PHP on OSS-fuzz From: cmbecker69@gmx.de ("Christoph M. Becker") On 20.06.2019 at 17:54, Nikita Popov wrote: > On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev > wrote: > >> Hi! >> >> Looking at the recent PHP security issues, it is clear that many of the= m >> are stemming from corner cases in various format-parsing code, and most >> of them either is or can be found by fuzzers. >> >> Thus, I've made an initial integration for PHP on OSS-fuzz project - a >> fuzzing engine for testing open source projects. PHP configuration sits >> here: >> https://github.com/google/oss-fuzz/tree/master/projects/php >> and implementation of fuzzers is here: >> https://github.com/php/php-fuzzing-sapi >> >> So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan >> also to add basic phar fuzzer soon. Everybody is welcome to add more >> fuzzers - with priority on ones that actually deal with third-party >> data, e.g. language parser fuzzer is not enabled right now, because >> people usually do not run random byte streams as PHP scripts on their >> servers. On the other hand, people do apply EXIF or gd functions to >> third-party data, so a vulnerability in that code would be high priorit= y. >> >> That said, fuzzers can be run independently of OSS-Fuzz, so if you feel >> inspired to add a fuzzer for any code please do so. > > Where are issues detected by oss-fuzz reported? Everyone who is listed under primary_contact or auto_ccs[1] should be able to see the reports on and gets e-mails for first time issues (works for me for libgd). [1] Thanks, Christoph