A quick note about the Chromium security review of the WOFF 2.0 reference implementation from Kenji Baheux on 2014-06-23 (public-webfonts-wg@w3.org from June 2014)

From: Kenji Baheux <kenjibaheux@chromium.org>
Date: Mon, 23 Jun 2014 13:11:00 +0900
To: public-webfonts-wg@w3.org
Message-ID: <CADWWn7WEaPdsdzRCSyr0a_0nEZu=-QS2eQaqbRsWki86_NdPGA@mail.gmail.com>

Hi webfonts-wg members,

I heard from David Kuettel that there was some interest about our security
findings for the WOFF 2.0 reference implementation.

*So, here is a short summary:*

Chromium infrastructure is running a clusterfuzz
<http://www.chromium.org/Home/chromium-security/bugs/using-clusterfuzz>
fuzzer for WOFF 2.0.
The basic concept of a fuzzer is that it tries to abuse a piece of code by
throwing various input at it (e.g. mutations of valid/invalid inputs).

A while ago, it found 2 class of issues that were quickly fixed.
So far, it hasn't found anything new.

Given that these fixes have already made it to all of our users, the 2
security bugs have been made public. If you want to learn more, please head
over these links:

   - https://code.google.com/p/chromium/issues/detail?id=329547
   - https://code.google.com/p/chromium/issues/detail?id=329258



Best regards,

Received on Monday, 23 June 2014 04:11:49 UTC