-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dbus] add project.yaml #8699
[dbus] add project.yaml #8699
Conversation
It's a follow-up to https://seclists.org/oss-sec/2022/q4/7 dbus is the reference implementation of D-Bus, a message bus for communication between applications and system services: https://www.freedesktop.org/wiki/Software/dbus/. It's used by default on at least Debian and Ubuntu and among other things it's also a recommended systemd runtime dependency. Combined with google#7860 it should hopefully fully cover the most popular system dbus daemons. The dbus project also provides the libdbus library used by a lot of projects directly or via various bindings so it should help to cover them too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Can i merge this? |
@jonathanmetzman I'd wait for @smcv before merging this or rolling out any fuzz targets. |
@jonathanmetzman on a somewhat related note I wonder if there're projects using CFLite to test various branches on GitLab by analogy with how |
Please don't proceed with this until I have had time to look into this from the dbus side. There is currently nobody whose main job is dbus, so responding to those fuzzer-detected vulnerabilities has already taken up a lot of my time budget for dbus work recently. |
I'll go ahead and close it. I fuzz dbus elsewhere. |
Sorry to see this :-( |
@jonathanmetzman I think if it was possible to turn off the 90-day disclosure it would be easier to bring projects like dbus to OSS-Fuzz to make it easier to fix issues at their pace. That being said even if it was possible the fuzz targets would still be public (and that would bring "researchers" running them and reporting the same issues over and over again. As far as I can remember elfutils got issues like that once its fuzz targets were integrated and libbpf has received several reports like that this month). |
It's a follow-up to https://seclists.org/oss-sec/2022/q4/7
dbus is the reference implementation of D-Bus, a message bus for communication between applications and system services: https://www.freedesktop.org/wiki/Software/dbus/. It's used by default on at least Debian and Ubuntu and among other things it's also a recommended systemd runtime dependency. Combined with #7860 it should hopefully fully cover the most popular system dbus daemons. The dbus project also provides the libdbus library used by a lot of projects directly or via various bindings so it should help to cover them too.