tukaani-project
oss-fuzz
tukaani-project | oss-fuzz | |
---|---|---|
5 | 31 | |
- | 10,008 | |
- | 4.1% | |
- | 9.9 | |
- | 5 days ago | |
Shell | ||
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
tukaani-project
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Thank you. If you wouldn't have explained the background, I totally would've thought that this is just an innocent typo.
(I still think it's like... 60% a typo? don't know)
Anyhow, other people called the CCing of JiaT75 by Lasse suspicious:
https://news.ycombinator.com/item?id=39867593
https://lore.kernel.org/lkml/20240320183846.19475-2-lasse.co...
Someone pointed out the "mental health issues" and "some other things"
https://news.ycombinator.com/item?id=39868881
https://www.mail-archive.com/[email protected]/msg00567.h...
Lasse is of course a Nordic name, and the whole project has a finnish name and hosting
https://news.ycombinator.com/item?id=39866902
If I wanted to go rogue and insert a backdoor in a project of mine, I'd probably create a new sockpuppet account and hand over management of the project to them. The above is worringly compatible with this hypothesis.
OTOH, JiaT75 did not reuse the existing hosting provider, but rather switched the site to github.io and uploaded there old tarballs:
https://github.com/tukaani-project/tukaani-project.github.io...
If JiaT75 is an old-timer in the project, wouldn't they have kept using the same hosting infra?
There are also some other grim possibilities: someone forced Lasse to hand over the project (violence or blackmailing? as farfetched as that sounds)... or maybe stole Lasse devices (and identity?) and now Lasse is incapacitated?
Or maybe it's just some other fellow scandinavian who pretends to be chinese and got Lasse's trust.
Is the same person sockpuppeting Hans Jansen? It's amusing (but unsurprising) that they are using both german-sounding and chinese-sounding identities.
That said, I don't think it's unreasonable to think that Lasse genuinely trusted JiaT75, genuinely believed that the ifunc stuff was reasonable (it probably isn't: https://news.ycombinator.com/item?id=39869538 ) and handed over the project to them.
And at the end of the day, the only thing linking JiaT75 is a swedish/finnish racist joke which could well be a typo. People already checked the timezone of the commits, but I wonder if anyone has already checked the time-of-day of those commits... does it actually match the working hours that a person genuinely living (and sleeping) in China would follow?
oss-fuzz
- Xz: Disable ifunc to fix Issue 60259
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
> because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers
for example, https://github.com/google/oss-fuzz/pull/10667
-
Ask HN: Any Good Fuzzer for gRPC?
Have you tried Googles grpc fuzzer?
https://github.com/google/oss-fuzz/blob/master/projects/grpc...
-
Pacemaker should be running open source software
https://www.fda.gov/medical-devices/digital-health-center-ex...
oss-fuzz: https://github.com/google/oss-fuzz :
> We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.
> Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.
-
Fuzz Testing Is the Best Thing to Happen to Our Application Tests
I love fuzzing as a technique and use it quite regularly, but running AFL++ on even a single program occupies all threads of a high end AMD server for weeks. I'm running it locally so only paying for the electricity. If it was a cloud instance it would cost a small fortune. I think this is a reason it is not used more widely.
I will note that Google have a programme for doing fuzz testing on open source projects using computer from their cloud: https://google.github.io/oss-fuzz/
- Fixed Spelling Errors or Typos
- ELI5: How can downloading a pdf or word file give you a virus?
- OSS-Fuzz β continuous fuzzing for open source software
-
Mosh: An Interactive Remote Shell for Mobile Clients (2012) [pdf]
Yes, mosh has fuzz tests in oss-fuzz [1].
[1] https://github.com/google/oss-fuzz/tree/master/projects/mosh
-
Java Fuzzing with Jazzer compared to Symflower
We will explore how Jazzer is used to automatically generate malicious inputs for Java programs, and how it compares to Symflower, which can automatically generate unit tests to uncover bugs and errors in your code. With the help of Jazzer, many bugs - some of them even in the OpenJDK - were found already. Also, as of March 2021, Jazzer is officially part of OSS-Fuzz, Google's cloud fuzzing engine. It should be noted that Jazzer is a pure "bug detection" utility that finds reproducers for errors in user code. Symflower can do the same, but provides additional functionalities to boost developer productivity, like generating high coverage unit tests and providing test templates for the software developer or tester.
What are some alternatives?
systemd - The systemd System and Service Manager
AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
xz - XZ Utils [GET https://api.github.com/repos/tukaani-project/xz: 403 - Repository access blocked]
fuzzilli - A JavaScript Engine Fuzzer
homebrew-core - π» Default formulae for the missing package manager for macOS (or Linux)
ffmpeg-libav-tutorial - FFmpeg libav tutorial - learn how media works from basic to transmuxing, transcoding and more. Translations: πΊπΈ π¨π³ π°π· πͺπΈ π»π³ π§π·
wasmtime - A fast and secure runtime for WebAssembly
libfuzzer - Thin interface for libFuzzer, an in-process, coverage-guided, evolutionary fuzzing engine.
rust1 - rust1
FFmpeg - Mirror of https://git.ffmpeg.org/ffmpeg.git
openconnect
uafuzz - UAFuzz: Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities