Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OSS-Fuzz Integration Inquiry #182

Open
capuanob opened this issue Jan 5, 2025 · 2 comments
Open

OSS-Fuzz Integration Inquiry #182

capuanob opened this issue Jan 5, 2025 · 2 comments

Comments

@capuanob
Copy link

capuanob commented Jan 5, 2025

Hello!

I have integrated a few open-sourced projects into OSS-Fuzz, a program sponsored by Google to provide continuous fuzz-testing of impactful open-sourced projects, and am wondering if jpegoptim's maintainers would approve me undertaking the work to develop a harness to fuzz-test this library and integrate it into OSS-Fuzz.

If you would like more details on what OSS-Fuzz is and what this work would entail, more details can be found here.

If so, all I would need is an email address of the primary contract, who will receive access to ClusterFuzz to view crash reports. I could also list myself as the primary contact, if desired.

Thank you for your consideration and I look forward to working with you all!

@tjko
Copy link
Owner

tjko commented Jan 5, 2025

Hi @capuanob, that sounds great. You can use my email (found in project README, etc..)

I recall that in the past people doing "fuzzing" independently have found some issues, so this could prove out to be useful addition.
Also, it would seem rather likely that OSS-Fuzz could find issues in the underlying JPEG library (libjpeg, libjpeg-turbo, mozjpeg, ...), would it be possible to build harness so that it can build/test jpegoptim against different libraries, etc?

@capuanob
Copy link
Author

capuanob commented Jan 6, 2025

@tjko Thank you! I will submit this to the panel for their consideration.

If approved, I will get started shortly thereafter. I can definitely support testing against the different, underlying libraries

vitorguidi added a commit to google/oss-fuzz that referenced this issue Jan 17, 2025
I am requesting permission to integrate
[jpegoptim](https://github.com/tjko/jpegoptim) into OSS-Fuzz. I believe
that this project is a good candidate for OSS-Fuzz integration as it
serves as a preeminent JPEG compression library used by many prominent
projects such as [NextCloud
Server](https://github.com/nextcloud/server/blob/c28fceb5d511e22030697e549c618699bce7c205/build/image-optimization.sh#L13C1-L17C3),
[ImageOptim](https://github.com/ImageOptim/ImageOptim), and
[Nikola](https://github.com/getnikola/nikola).

For the sake of highlighting the library's importance and the risks
posed by potential vulnerabilities within it, it is beneficial to
consider NextCloud's usage of the library to handle image size
optimization for storing user's data. Some potential risks include image
corruption and loss of customer data and, as a worst -case-scenario, the
exploitation of the JPEG parsing to achieve RCE on a
public-network-facing file store.

Please see upstream approval for integration
[here](tjko/jpegoptim#182)

Co-authored-by: Vitor Guidi <vitorguidi@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants