[uwebsockets] OSV-2021-453.yaml seems wrong
opened this issue · comments
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2021-453.yaml
The version range is from v19 to v20.8. This makes no sense since the issue does not reproduce in v20.8. The fixed commit is not in master branch, it has been reset (probably because a better fix replaced it) yet OSS-Fuzz links to that commit and still considers latest version v20.8 broken.
I can't trigger the issue on OSS-Fuzz "dashboard" and now some other company has created an CVE which claims version v19 to v20.8 is broken with a high severity issue which is not the case.
How to fix this?
I have tested the reproducing test case and it does trigger the crash between v19.0.0a4 and v19.0.0a5, so the version range of v19 up to latest v20.8 is wrong.
Sorry for the inaccuracy here. Our list of affected versions are automatically determined from the introduced and fixed commits. Our automation infra based it off uNetworking/uWebSockets@4e4fd20, which causes confusion because it no longer exists.
Would you be able to help point to the actual fix commit for this?
No problem, I can go through them and find the real fix
Fix is uNetworking/uWebSockets@1507f3f
Offender is uNetworking/uWebSockets@7b330e9
Thanks a bunch @alexhultman ! I updated this in bac99b4