I've collected reproducers for these bugs and for old ones, uploaded reproducers for fixed bugs into the _static corpus folder. Also will upload reproducers for currently opened bugs once they get fixed (otherwise CF will stuck at them).

I'm ready and able to do this, but I don't see any upstream commits. I'll monitor it but if you see something available please ping.

Changing labels to move this out of the security sheriff triage queue, since this is meant to be a broader tracking bug.

You may also want to keep an eye on:

 Bug 763686 : multiple heap overflow vulnerabilities in html parse functions
<https://bugzilla.gnome.org/show_bug.cgi?id=763686>
- Reporter uploaded zip of ~3000 test cases that crash under ASan on a public bug.

 Bug 764427 : CVE-2016-2073: Buffer overread in xmlDictLookup with POC
<https://bugzilla.gnome.org/show_bug.cgi?id=764427>
- Filed based on mail to sos-security mailing list.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073>

Here is how I understand the current status:

Fixed in 2.9.4 which Chromium has rolled:
gnome:761029, gnome:764427

Apparently fixed, but not verified:
mmoroz, could you help verify these and comment upstream?
gnome:758549, gnome:756525

Has upstream patches we could try to monkey patch and roll:
security ppl/mmoroz: these bugs are private upstream; what's the procedure here? Is it OK to commit these proposed patches to Chromium?
gnome:764615, gnome:765468

No fix upstream--needs fixes:
gnome:766956/ Issue 620679 , gnome:767734/ Issue 616698 

Needs to be *filed*/deduped upstream:
 Issue 603486 ,  Issue 619006 

The rest:
gnome:763686 is a big public disclosure of ASAN test cases that hasn't been sorted through

gnome:759495, gnome:759579. A couple of infinite recursion bugs. Limited impact?

gnome:758549 - Cannot reproduce with Chromium version (2.9.4).
gnome:756525 - Cannot reproduce with Chromium version (2.9.4).


Regarding gnome:764615 and gnome:765468, it looks like we don't use HTML parser from libxml (htmlReadDoc(), htmlReadFile(), htmlReadMemory()). This is also why we don't have a fuzzer for that parser.

Given that, I'm not sure if it makes sense to use separate patches or may be we just wait for the next release. Also we had an email thread about embargo dates, so probably would be better to wait.

gnome:763686 - Sadly, that this is public, but those testcases should not affect Chromium since we don't use HTML parser.


gnome:759495, gnome:759579 - since it is only DoS, I guess they are lowest priority of known issues.

I think the only remaining bugs of interest are

gnome:759495
gnome:759579

Given the lower priority (DoS) and that neither of them repro in Chrome 55.0.2883.87 (Official Build) (64-bit) I think I will mark this bug fixed. Please push back if I got that wrong.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot