Fix incorrectly-imported OSS-Fuzz issues #37
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OSV-2018-13, OSV-2024-417, OSV-2024-430, and OSV-2024-432 were all OSS-Fuzz infrastructure regressions. When OSS-Fuzz breaks MSan, which is unfortunately quite often, the result is false positive reports. OSV seems to incorrectly classify these.
OSV-2018-206 was a bug in the fuzzer, not a bug in the library.
OSV-2023-41 was a bug in the library, but one we do not consider to be a security bug as this code is not safe for use with untrusted inputs, as documented in
https://commondatastorage.googleapis.com/chromium-boringssl-docs/x509.h.html#Deprecated-config-based-extension-creation
(The regression range is also wrong because it's flagging when the fuzzer was added, but I've left that alone.)