<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>I think we should not tie too many things to the 8.0 release,
otherwise it will never see the light. There is no such thing as a
perfect release. Fuzzing is a marathon-type of effort, not a
sprint. Even if your code base doesn't change, fuzzers might take
years to uncover some weird bugs. Although the pattern I've seen
is more like a decreasing exponential one: you get flooded by bugs
in the first weeks, and things calm down a bit then.</p>
<p>There are two parts:</p>
<p>- initial setup: for oss-fuzz, you need to setup script to do a
fully static build of libmapserver (and all its dependencies, but
you can generally use for that the static lib shipped with the
.deb development packages). And you need to write one or several
fuzzer programs that are made of one function that that accept a
"""random""" buffer and do something useful with it. In a
MapServer context, that buffer could be made of several parts:
type of request (GET/POST), XML post content if POST, content of
the QUERY_STRING (or maybe more generally KEY=VALUE environment
variables), mapfile content inlined, (resources pointed by the
mapfile?). Probably to make things simpler, a first step would be
to have just a fuzzer on the QUERY_STRING content that would
operate on a fixed mapfile, as most interesting vulnerabilities in
a mapserver context come from QUERY_STRING content (to be opposed
to bugs linked to mapfile content itself). That initial setup
isn't necessary trivial to do. In the oss-fuzz case, you can use
locally their Docker image to have things working (you known it
works when it spots the first bug. My experience with code that
hasn't been submitted to fuzzing is that it takes only a few
seconds :-) Generally some memleak in an error code path). And
then you can submit that for inclusion to the ossfuzz github repo
so that this is run continuously on google infrastructure.<br>
</p>
<p>- fix the bugs as they flow in.</p>
<p>Even<br>
<br>
</p>
<div class="moz-cite-prefix">Le 15/04/2021 à 04:50, Steve Lime a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAMrKZ98jmiyC5Ag04JshbC4ngH1EuLuzpC5+P6oJPcsJFkqxzw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi all: MapServer is a pretty old project
w/relatively complex code. What do folks think about making
fuzzing MapServer as part of the 8.0 release? I'd feel better
knowing that we did everything possible to deliver a stable and
secure platform for users. It seems like fuzz testing would be
particularly well suited to testing MapServer. I can't imagine
it's a trivial effort but doing so ahead of a major release
seems like the right time. I know GDAL has been through it and
maybe Even can offer some advice.
<div><br>
</div>
<div>--Steve</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
mapserver-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
<a class="moz-txt-link-freetext" href="http://www.spatialys.com">http://www.spatialys.com</a>
My software is free, but my time generally not.</pre>
</body>
</html>