This was interesting, a minor bug report from a fuzzer was fixed incorrectly leading to a far more serious bug that the fuzzer never found. I don't know what the lesson is, but ¯\_(ツ)_/¯ /cc @hannohttps://twitter.com/ProjectZeroBugs/status/1110866416494768128 …
-
-
Looks like we never get into `verify_crt` and other relevant stuff, there are just a few functions executed: https://storage.googleapis.com/oss-fuzz-coverage/gnutls/reports/20190325/linux/src/gnutls/lib/x509/verify.c.html …
-
Hmm, I guess that means the fuzzer was only parsing, but not verifying the DER? Oops, sounds like an easy fix though to get lots more coverage.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
