Ruby

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

Shyouhei Urabe wrote:

Kamil Frankowicz wrote:

After some fuzz testing I found a crashing test case.

Great... I can reproduce this. Not sure if this is an "infinite" recursion or just too deep to run on my machine, though.

Do you run a fuzz test for ruby or for your project? If this is something disclosable please do so, because currently ruby lacks such thing.

I fuzz ruby (in this case miniruby binary) with American Fuzzy Lop fuzzer (http://lcamtuf.coredump.cx/afl/). My testing corpus contains files from various open source projects written in ruby. It's all :-)

This is CVE-2017-6181.

Thank you again for the useful information. Will consider using the fuzzer and hopefully integrate into our test suite if possible/allowed.