[uwebsockets] OSV-2021-453.yaml seems wrong

Question

[uwebsockets] OSV-2021-453.yaml seems wrong

opened this issue 2 years ago · comments

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2021-453.yaml

The version range is from v19 to v20.8. This makes no sense since the issue does not reproduce in v20.8. The fixed commit is not in master branch, it has been reset (probably because a better fix replaced it) yet OSS-Fuzz links to that commit and still considers latest version v20.8 broken.

I can't trigger the issue on OSS-Fuzz "dashboard" and now some other company has created an CVE which claims version v19 to v20.8 is broken with a high severity issue which is not the case.

How to fix this?

Deleted user · Answer 1 · Tue Jan 04 2022 02:09:03 GMT+0800 (China Standard Time)

I have tested the reproducing test case and it does trigger the crash between v19.0.0a4 and v19.0.0a5, so the version range of v19 up to latest v20.8 is wrong.

Oliver Chang · Answer 2 · Wed Jan 05 2022 11:13:13 GMT+0800 (China Standard Time)

Sorry for the inaccuracy here. Our list of affected versions are automatically determined from the introduced and fixed commits. Our automation infra based it off uNetworking/uWebSockets@4e4fd20, which causes confusion because it no longer exists.

Would you be able to help point to the actual fix commit for this?

Deleted user · Answer 3 · Fri Jan 07 2022 11:23:11 GMT+0800 (China Standard Time)

No problem, I can go through them and find the real fix

Deleted user · Answer 4 · Mon Jan 17 2022 10:45:58 GMT+0800 (China Standard Time)

Fix is uNetworking/uWebSockets@1507f3f

Offender is uNetworking/uWebSockets@7b330e9

Oliver Chang · Answer 5 · Mon Jan 17 2022 18:49:16 GMT+0800 (China Standard Time)

Thanks a bunch @alexhultman ! I updated this in bac99b4