Stackoverflow [OSS-Fuzz - 50355]
Uncaught exception in java.base/java.util.ArrayList.hashCode
Stacktrace and crashing input attached.
It’s maybe a bit similar to anther issue already created
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
Bug Chromium link:
Comments (10)
-
reporter -
-
-
-
assigned issue to
-
assigned issue to
-
- changed status to open
-
The ocnfiguration is shown in the test
-
- changed status to resolved
-
For others that arrive here, it looks like this one has also had a separate public CVE created without affected or fixed versions in the description. Sigh.
https://nvd.nist.gov/vuln/detail/CVE-2022-41854
https://ossindex.sonatype.org/vulnerability/CVE-2022-41854For now that seems to just create noise in OSSIndex which seems to treat it as “all versions” affected. Not yet analyzed by NIST NVD so not showing up on scanners - but probably more noise impending. Have contacted OSSIndex to get corrected. Will pause on contacting NIST NVD until they have analysed since it is not yet reporting as false positive there.
Looks like this was also fixed in 1.32 by the same commit as that which fixed
https://bitbucket.org/snakeyaml/snakeyaml/commits/5056a448 per my comment at https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081#comment-64144582#531To also note that OSSFuzz automation considered it fixed on Sep 12 when 1.32 was released: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355
-
FWIW, this has been analyzed by NIST NVD now, and they consider it fixed in 1.32 which is good, so not expecting noise from naive NVD-based scanner tooling. OSSIndex got back to me, I think their research team are still looking at it to consider its relationship to
#531and the earlier CVE-2022-38752 -
This has been updated/corrected on OSSIndex now, so the false positives should stop for this one.
- Log in to comment