OSS-Fuzz integration

[guidovranken]

I've written a fuzzer for Pillow. It is compatible with Google OSS-Fuzz.

1. Are you interested in integrating the Pillow fuzzer into OSS-Fuzz? I will need one or more e-mail addresses, linked to a Google account, of people who ordinarily deal with security reports.
2. My fuzzer has so far found 2 distinct denial-of-service bugs that can be triggered by loading crafted data into ImageFile.Parser(). Should I report these in the issue tracker, or via Tidelift?

Also pinging @kcc @Dor1s in case they want to object against Pillow integration into OSS-Fuzz.

[Dor1s]

SGTM

[wiredfool]

Works for me, I’d be one getting security issues.

I’ve got a google account, but don’t receive email there. I’d prefer notifications go to the address on my GitHub profile.

[guidovranken]

We can add two e-mail addresses for you: the one on your Github profile at which you receive e-mail notifications, and the one linked to your Google account, which you can use to login to the OSS-Fuzz dashboard at https://oss-fuzz.com/

I'm having a little trouble compiling Pillow with custom CFLAGS, which will be necessary for OSS-Fuzz integration. Would you mind commenting on how I might get the following to work?

CC=clang CXX=clang++ CFLAGS="-fsanitize=fuzzer-no-link" CXXFLAGS="-fsanitize=fuzzer-no-link" LDSHARED=clang ./setup.py build_ext --inplace

[wiredfool]

This does build with the flags OMM (mojave), but linking fails because of python's symbols being missing. (there's a little futzing to make zlib show up. )

running build_ext
building 'PIL._imaging' extension
creating build/temp.macosx-10.13-x86_64-2.7
creating build/temp.macosx-10.13-x86_64-2.7/src
creating build/temp.macosx-10.13-x86_64-2.7/src/libImaging
Building using 4 processes
clang -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I/usr/local/opt/zlib/include -fsanitize=fuzzer-no-link -DHAVE_LIBJPEG -DHAVE_OPENJPEG -DHAVE_LIBZ -DHAVE_LIBTIFF -DPILLOW_VERSION="6.1.0" -I/usr/local/Cellar/openjpeg/2.3.1/include/openjpeg-2.3 -I/Users/erics/Pillow/src/libImaging -I/usr/local/Cellar/little-cms2/2.9/include -I/usr/local/Cellar/libtiff/4.0.10_1/include -I/usr/local/Cellar/freetype/2.10.1/include/freetype2 -I/usr/local/Cellar/jpeg/9c/include -I/Users/erics/Pillow -I/usr/local/Cellar/zlib/1.2.11/include -I/Users/erics/vpy27/include -I/usr/local/include -I/usr/local/Cellar/freetype/2.10.1/include -I/usr/include -I/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c src/_imaging.c -o build/temp.macosx-10.13-x86_64-2.7/src/_imaging.o
clang -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I/usr/local/opt/zlib/include -fsanitize=fuzzer-no-link -DHAVE_LIBJPEG -DHAVE_OPENJPEG -DHAVE_LIBZ -DHAVE_LIBTIFF -DPILLOW_VERSION="6.1.0" -I/usr/local/Cellar/openjpeg/2.3.1/include/openjpeg-2.3 -I/Users/erics/Pillow/src/libImaging -I/usr/local/Cellar/little-cms2/2.9/include -I/usr/local/Cellar/libtiff/4.0.10_1/include -I/usr/local/Cellar/freetype/2.10.1/include/freetype2 -I/usr/local/Cellar/jpeg/9c/include -I/Users/erics/Pillow -I/usr/local/Cellar/zlib/1.2.11/include -I/Users/erics/vpy27/include -I/usr/local/include -I/usr/local/Cellar/freetype/2.10.1/include -I/usr/include -I/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c src/libImaging/Bands.c -o build/temp.macosx-10.13-x86_64-2.7/src/libImaging/Bands.o
...

I'd like to note that we generally are not worried about C-level DOS/vulnerabilities that are only accessible by running python code, as if someone is able to execute arbitrary python, then you've already lost. OTOH, if someone can trigger it by loading a malformed image, that's certainly something of interest.

[guidovranken]

Both the vulnerabilities I've found are accessed via

p = ImageFile.Parser()                                                                                                                                                                              
p.feed(crafted_input)

One bug is in Python the other in C. Where do you want me to report them?

[hugovk]

Please report vulnerabilities via Tidelift:

• https://github.com/python-pillow/Pillow/security/policy

This'll be the first through Tidelift, let's see how it goes.

[guidovranken]

I've reported my findings to Tidelift.

[radarhere]

google/oss-fuzz#2626 is the OSS-Fuzz PR.

[guidovranken]

When will you publish fixes for the bugs I submitted?

[radarhere]

There has been progress in this, and we now have proposed fixes.

Regarding the contacts for the fuzzer - https://github.com/google/oss-fuzz/pull/2626/files#diff-66735c16e062a5a5015a4e200966c2adR2 - I would think that we should also cc someone at Pillow?

[radarhere]

As noted in #4123, the fixes have been published as part of Pillow 6.2.0.

[radarhere]

Who would we like to be listed as contact e-mail addresses for the fuzzer? google/oss-fuzz#2626 (comment)

[radarhere]

I'm going to suggest security@python-pillow.org, as per #3543 (comment)

[radarhere]

google/oss-fuzz#2626 (comment)

Is this address linked to a Google account, or can you do that? If not, you will get e-mail notifications, but cannot see bug report contents.

[radarhere]

The fuzzer has now been merged.

[radarhere]

I've determined that security@python-pillow.org is not linked to a Google account.