[Development] Submitting Qt to oss-fuzz

Robert Löhning robert.loehning at qt.io
Fri Aug 31 11:31:16 CEST 2018 

Am 30.08.2018 um 21:30 schrieb Albert Astals Cid via Development:
> El dijous, 30 d’agost de 2018, a les 8:59:40 CEST, André Pönitz va escriure:
>> On Thu, Aug 30, 2018 at 08:42:11PM +0200, Albert Astals Cid via
>>
>> Development wrote:
>>> I made a local test run of the undefined sanitizer and it found
>>> https://paste.kde.org/prkox41mx in a few seconds, so "it works"
>>>
>>> If you want to test it locally you can do python infra/helper.py
>>> build_fuzzers --sanitizer undefined qt python infra/helper.py
>>> run_fuzzer qt qimage_fuzzer for the undefined sanitizer and
>>> python infra/helper.py build_fuzzers --sanitizer address qt
>>> python infra/helper.py run_fuzzer qt qimage_fuzzer
>>>
>>> Unfortunately I have not been able to compile with the memory
>>> sanitizer enabled yet.
>>>
>>> The most important thing before submitting this upstream is
>>> changing the list of trusted addresses the private bugs get sent
>>> to.
>>>
>>> To have something written i've used my email address but i guess
>>> at least i should add eirik.aavitsland at qt.io (listed as QImage
>>> maintainer) there too? Anyone else?  I am not sure how the email
>>> address thing works, but i think they need to be "google account"
>>> activated, whatever that means, so we can't use
>>> security at qt-project.org.
>>
>> That would be the natural choice.
>>
>>> On  poppler i'm using my @gmail.com address and not my @kde.org address
>>> since it was just easier.
>>>
>>> Comments?
>>
>> We are not taking about an innovative approach to coerce people
>> into using Google services, right?
> 
> Maybe :D
> 
> Not really sure how it works, we can try submitting it with security at qt-
> project.org and see what happens, but first i'd like confirmation from them
> that they'll look at the errors and confirmation from "the project" that it's
> a good idea to do this.

Hi,

I was planning to do it the other way round: I registered a GMail 
address for this sole purpose and will manually forward what comes in 
there to the security list whenever needed. Of course I'd then try to 
automate this as far as possible.

Cheers,
Robert

> 
> Cheers,
>    Albert
> 
>>
>> Andre'
> 
>

More information about the Development mailing list