[prev in list] [next in list] [prev in thread] [next in thread]
List: mapserver-dev
Subject: Re: [mapserver-dev] Fuzzing MapServer
From: Even Rouault <even.rouault () spatialys ! com>
Date: 2021-04-15 19:20:47
Message-ID: 9513a023-0375-6799-2740-91f099729b4a () spatialys ! com
[Download RAW message or body]
Le 15/04/2021 à 19:28, Steve Lime a écrit :
> I hear what you're saying from a release standpoint. I guess I could
> have said "initiate a fuzzing effort" as part of the 8.0 release. I
> like your idea to concentrate on the query string, that represents a
> pretty big surface depending what the fixed mapfile contains. With
> oss-fuzz there's a time limit on certain types of bugs before
> public disclosure, correct?
Details at
https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/
. They don't make differences between type of bugs.
> That's a bit worrisome if you got slammed and nobody was available to
> address bugs.
We might also want to decide what to do if bugs impacting security are
uncovered (might be hard to decide what is exploitable. a double-free
can in some circumstances be exploited, but I doubt any of us as the
expertise to evaluate that)
>
> Are there alternatives to oss-fuzz that could be considered (Seth
> referenced one of them)?
>
> Funding would be great although our only source of $'s at the moment
> is the OSGeo project budget which is really small and partially
> committed to the TravisCI subscription.
For the mapserver (non-doc) repo, we're close to be ready to unplug
Travis-CI now we have a github action job. The remaining thing would be
to add coveralls support
(https://github.com/MapServer/MapServer/issues/6299 created as remainder)
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
mapserver-dev mailing list
mapserver-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic