Full Report
Learn why some long-enrolled OSS-Fuzz projects still contain vulnerabilities and how you can find them. The post Bugs that survive the heat of continuous fuzzing appeared first on The GitHub Blog.
Analysis Summary
This summary is based *only* on the provided contextual text. Since the article focuses on the *need* for better fuzzing and points to vulnerabilities found in extensive manual auditing, but does **not** list specific finalized CVE IDs, exact CVSS scores, or precise patch/version numbers for the described issues, these fields will be marked as "Not specified in text" or inferred from the discussion context.
# Vulnerability: Bugs Surviving Long-Term OSS-Fuzz Enrollment
## CVE Details
- CVE ID: Not specified in text (Multiple vulnerabilities discovered across projects like GStreamer and Poppler)
- CVSS Score: Not specified in text
- CWE: Not specified in text (Though implied issues relate to boundary conditions and arithmetic errors)
## Affected Systems
- Products: GStreamer, Poppler, and an unspecified web server (related to the divide-by-zero example).
- Versions: Not specified in text. The discussion covers projects *long-enrolled* in OSS-Fuzz.
- Configurations: Issues appeared in systems using these libraries (e.g., Ubuntu using GStreamer for media processing or Poppler for PDF rendering).
## Vulnerability Description
The article highlights that even mature open-source projects continuously fuzzed by OSS-Fuzz can harbor critical vulnerabilities. This is attributed to several factors:
1. **Insufficient Fuzzer Coverage:** Projects may have too few active fuzzers or low code coverage (e.g., GStreamer reported ~19% coverage, far less than peers like OpenSSL).
2. **Human Oversight Gap:** Maintainers often rely solely on enrollment without actively monitoring coverage or writing new fuzzers for uncovered code paths.
3. **False Sense of Security:** Developers may assume "being fuzzed" means "protected," leading to neglect, sometimes resulting in fuzzing pipelines actually failing or not running at all.
4. **Limitations of Control-Flow Fuzzing:** Traditional fuzzing, which focuses on control-flow paths, can miss bugs dependent on specific input *values* (Value Coverage), such as a discovered divide-by-zero error triggered by a specific, large client-controlled padding size (4312 bytes in the example).
## Exploitation
- Status: Several vulnerabilities were *discovered* via specialized auditing, implying they were not yet publicly exploited/known at the time of writing.
- Complexity: Varies by vulnerability. The specific divide-by-zero example required reaching a complex, specific input value.
- Attack Vector: Varies (e.g., media processing, PDF parsing).
## Impact
The impact varies per specific flaw found in GStreamer (29 vulnerabilities), Poppler, and others:
- Confidentiality: Not specified for all, but potential for information disclosure exists in media processing libraries.
- Integrity: Not specified for all.
- Availability: Demonstrated by the potential for DoS (e.g., the divide-by-zero example).
## Remediation
### Patches
- Specific patch versions are **not provided** in the text. The author notes that 29 vulnerabilities were found in GStreamer in December 2024, implying patches were subsequently released for those issues.
### Workarounds
- No specific workarounds are detailed, beyond the suggested improvement of adopting **Value Coverage** techniques during fuzzing to target value-dependent bugs missed by current methods.
## Detection
- **Detection methods and tools:**
- **Proactive:** Improve fuzzing by implementing **Value Coverage** metrics, guiding fuzzers based on variable value ranges, not just execution paths.
- **Supervision:** Active human oversight is required to monitor OSS-Fuzz statistics (like coverage) and ensure the fuzzing pipeline is actively running.
## References
- Vendor advisories: Not specified in text.
- Relevant links - defanged:
- OSS-Fuzz project: hxxps://github.com/google/oss-fuzz
- OpenSSF Foundation: hxxps://openssf.org/
- GStreamer OSS-Fuzz Stats: hxxps://introspector.oss-fuzz.com/project-profile?project=gstreamer
- Poppler OSS-Fuzz Stats: hxxps://introspector.oss-fuzz.com/project-profile?project=poppler
- GStreamer vulnerability report: hxxps://github.blog/security/vulnerability-research/uncovering-gstreamer-secrets/