-
-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS-Fuzz Integration Inquiry #182
Comments
Hi @capuanob, that sounds great. You can use my email (found in project README, etc..) I recall that in the past people doing "fuzzing" independently have found some issues, so this could prove out to be useful addition. |
@tjko Thank you! I will submit this to the panel for their consideration. If approved, I will get started shortly thereafter. I can definitely support testing against the different, underlying libraries |
I am requesting permission to integrate [jpegoptim](https://github.com/tjko/jpegoptim) into OSS-Fuzz. I believe that this project is a good candidate for OSS-Fuzz integration as it serves as a preeminent JPEG compression library used by many prominent projects such as [NextCloud Server](https://github.com/nextcloud/server/blob/c28fceb5d511e22030697e549c618699bce7c205/build/image-optimization.sh#L13C1-L17C3), [ImageOptim](https://github.com/ImageOptim/ImageOptim), and [Nikola](https://github.com/getnikola/nikola). For the sake of highlighting the library's importance and the risks posed by potential vulnerabilities within it, it is beneficial to consider NextCloud's usage of the library to handle image size optimization for storing user's data. Some potential risks include image corruption and loss of customer data and, as a worst -case-scenario, the exploitation of the JPEG parsing to achieve RCE on a public-network-facing file store. Please see upstream approval for integration [here](tjko/jpegoptim#182) Co-authored-by: Vitor Guidi <vitorguidi@gmail.com>
Hello!
I have integrated a few open-sourced projects into OSS-Fuzz, a program sponsored by Google to provide continuous fuzz-testing of impactful open-sourced projects, and am wondering if jpegoptim's maintainers would approve me undertaking the work to develop a harness to fuzz-test this library and integrate it into OSS-Fuzz.
If you would like more details on what OSS-Fuzz is and what this work would entail, more details can be found here.
If so, all I would need is an email address of the primary contract, who will receive access to ClusterFuzz to view crash reports. I could also list myself as the primary contact, if desired.
Thank you for your consideration and I look forward to working with you all!
The text was updated successfully, but these errors were encountered: