LibreOffice leverages Google’s OSS-Fuzz

Talk about anything at all....
Post Reply
User avatar
henke54
Posts: 382
Joined: Thu Apr 02, 2009 6:10 pm
Location: Flanders Belgium

LibreOffice leverages Google’s OSS-Fuzz

Post by henke54 »

Italo Vignoli at documentfoundation.org on May 23, 2017 wrote:LibreOffice is the first free office suite in the marketplace to leverage Google’s OSS-Fuzz. The service, which is associated with other source code scanning tools such as Coverity, has been integrated into LibreOffice’s security processes – under Red Hat’s leadership – to significantly improve the quality of the source code.

According to Coverity Scan’s last report, LibreOffice has an industry leading defect density of 0.01 per 1,000 lines of code (based on 6,357,292 lines of code analyzed on May 15, 2017). “We have been using OSS-Fuzz, like we use Coverity, to catch bugs – some of which may turn into security issues – before the release. So far, we have been able to solve all of the 33 bugs identified by OSS-Fuzz well in advance over the date of disclosure”, says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.
Phil Muncaster at infosecurity-magazine.com on 9 May 2017 wrote:Google is urging more members of the open source community to get on board with its OSS-Fuzz initiative designed to make software more secure, after revealing the discovery of over 1000 bugs in the past five months.
OSS-Fuzz was launched in a bid to encourage more open source developers to use the fuzz testing techniques which Google claims it has employed to spot hundreds of security and stability issues in Chrome.
The automated bot army which powers OSS-Fuzz processes 10 trillion test inputs a day and in doing so, has found 264 potential security vulnerabilities in 47 open source projects over the past five months, Google claimed in a blog post.
These include: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark.
LibreOffice nutzt OSS-Fuzz zur Qualitätssteigerung
LibreOffice 6.0.7.3
on Linux Mint Mate
User avatar
acknak
Moderator
Posts: 22756
Joined: Mon Oct 08, 2007 1:25 am
Location: USA:NJ:E3

Re: LibreOffice leverages Google’s OSS-Fuzz

Post by acknak »

That's great to hear. It always seemed unfortunate that the OO code base did not (or could not) go through automated testing of some kind. I don't know if these tests apply to the older code or only to the new additions, but either way it's an important step forward.
AOO4/LO5 • Linux • Fedora 23
Post Reply