[Development] Submitting Qt to oss-fuzz

Albert Astals Cid albert.astals.cid at kdab.com
Fri Aug 31 11:53:12 CEST 2018


El divendres, 31 d’agost de 2018, a les 11:31:16 CEST, Robert Löhning va 
escriure:
> Am 30.08.2018 um 21:30 schrieb Albert Astals Cid via Development:
> > El dijous, 30 d’agost de 2018, a les 8:59:40 CEST, André Pönitz va 
escriure:
> >> On Thu, Aug 30, 2018 at 08:42:11PM +0200, Albert Astals Cid via
> >> 
> >> Development wrote:
> >>> I made a local test run of the undefined sanitizer and it found
> >>> https://paste.kde.org/prkox41mx in a few seconds, so "it works"
> >>> 
> >>> If you want to test it locally you can do python infra/helper.py
> >>> build_fuzzers --sanitizer undefined qt python infra/helper.py
> >>> run_fuzzer qt qimage_fuzzer for the undefined sanitizer and
> >>> python infra/helper.py build_fuzzers --sanitizer address qt
> >>> python infra/helper.py run_fuzzer qt qimage_fuzzer
> >>> 
> >>> Unfortunately I have not been able to compile with the memory
> >>> sanitizer enabled yet.
> >>> 
> >>> The most important thing before submitting this upstream is
> >>> changing the list of trusted addresses the private bugs get sent
> >>> to.
> >>> 
> >>> To have something written i've used my email address but i guess
> >>> at least i should add eirik.aavitsland at qt.io (listed as QImage
> >>> maintainer) there too? Anyone else?  I am not sure how the email
> >>> address thing works, but i think they need to be "google account"
> >>> activated, whatever that means, so we can't use
> >>> security at qt-project.org.
> >> 
> >> That would be the natural choice.
> >> 
> >>> On  poppler i'm using my @gmail.com address and not my @kde.org address
> >>> since it was just easier.
> >>> 
> >>> Comments?
> >> 
> >> We are not taking about an innovative approach to coerce people
> >> into using Google services, right?
> > 
> > Maybe :D
> > 
> > Not really sure how it works, we can try submitting it with security at qt-
> > project.org and see what happens, but first i'd like confirmation from
> > them
> > that they'll look at the errors and confirmation from "the project" that
> > it's a good idea to do this.
> 
> Hi,
> 
> I was planning to do it the other way round: I registered a GMail
> address for this sole purpose and will manually forward what comes in
> there to the security list whenever needed. Of course I'd then try to
> automate this as far as possible.

That works for me if it works for the project :)

Cheers,
  Albert

> 
> Cheers,
> Robert
> 
> > Cheers,
> > 
> >    Albert
> >> 
> >> Andre'
> 
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development


-- 
Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
Klarälvdalens Datakonsult AB, a KDAB Group company
Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
KDAB - The Qt, C++ and OpenGL Experts




More information about the Development mailing list