From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <evvers@ya.ru>
Received: from forward501j.mail.yandex.net (forward501j.mail.yandex.net
 [5.45.198.251])
 by sourceware.org (Postfix) with ESMTPS id A499F3858D3C
 for <elfutils-devel@sourceware.org>; Sat, 19 Mar 2022 11:08:33 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A499F3858D3C
Received: from myt6-3feb8f706c81.qloud-c.yandex.net
 (myt6-3feb8f706c81.qloud-c.yandex.net
 [IPv6:2a02:6b8:c12:4e0e:0:640:3feb:8f70])
 by forward501j.mail.yandex.net (Yandex) with ESMTP id 788896234A8;
 Sat, 19 Mar 2022 14:08:31 +0300 (MSK)
Received: from myt5-01d0fbe499ab.qloud-c.yandex.net
 (myt5-01d0fbe499ab.qloud-c.yandex.net [2a02:6b8:c12:4619:0:640:1d0:fbe4])
 by myt6-3feb8f706c81.qloud-c.yandex.net (mxback/Yandex) with ESMTP id
 VaBVcwpVBO-8UfuMZlT; Sat, 19 Mar 2022 14:08:31 +0300
X-Yandex-Fwd: 2
Received: by myt5-01d0fbe499ab.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA
 id QF9cEqHz4n-8UJG2kx7; Sat, 19 Mar 2022 14:08:30 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Subject: Re: Some fuzzer workarounds 
From: Evgeny Vereshchagin <evvers@ya.ru>
In-Reply-To: <741FAE40-F8E9-4DA7-A160-E30A76210AC8@ya.ru>
Date: Sat, 19 Mar 2022 14:08:30 +0300
Cc: elfutils-devel@sourceware.org,
 david korczynski <david@adalogics.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <36547D6F-3819-4654-8443-102B868758BF@ya.ru>
References: <20220317133051.100876-1-mark@klomp.org>
 <741FAE40-F8E9-4DA7-A160-E30A76210AC8@ya.ru>
To: Mark Wielaard <mark@klomp.org>
X-Mailer: Apple Mail (2.3445.104.21)
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_MSPIKE_H3,
 RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: elfutils-devel@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Elfutils-devel mailing list <elfutils-devel.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/elfutils-devel/>
List-Help: <mailto:elfutils-devel-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Mar 2022 11:08:38 -0000

Hi

> If they weren't actually tested I think it would make sense to revert =
them to avoid getting auto-generated CVEs
> until they're in more or less good shape at least.

I've just opened https://github.com/google/oss-fuzz/pull/7401 to weed =
out some false positives.=20
Given that they are "security" issues and bash scripts generating CVEs =
rely on that label I hope they will be closed
as "invalid" or "wonfix". The issues found by fuzz-elf-get-sections =
(which was renamed to fuzz-libelf apparently) were
closed as "Verified" though so I'm not sure how it works exactly.

Thanks,
Evgeny Vereshchagin=