"The initial results confirm our investment hypothesis, and we're excited to learn more as we open for [more] applications," Mozilla said.
The audit found 29 vulnerabilities in PCRE, of which one was rated critical, five as medium, 20 as low, and three as informational. The critical vulnerability was a stack buffer overflow that could have led to arbitrary code execution when compiling untrusted regular expressions, according to the report. All of the issues, except a low-severity bug, have been fixed in PCRE 10.21.
The libjpeg library, which is used by several well-known open source projects such as Chrome, LibreOffice, Firefox, and other flavors of VNC, contained five vulnerabilities. One was rated as high severity, two as medium, and two as low. The high-severity flaw was an out-of-bounds read that may not be exploitable. The two medium-severity flaws were originally flagged as denial-of-service issues, but turned out to be issues with the JPEG standard, and affect multiple JPEG implementations. The issues "can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself," according to the audit report, which contains suggestions as to how applications using JPEG can mitigate them in their own code. Other than the issues in the JPEG standard, all of the bugs have been fixed in libjpeg-turbo stable version 1.5.
Finally, phpMyAdmin had nine different flaws, three of them medium severity, five low, and one informational. Two issues have been partially fixed, and the remaining seven have been fixed in phpMyAdmin 4.6.2.
Supporting open source software security
Mozilla is not saying this initiative alone will fix the application security problem for open source. Security is a multistep process that requires increased investments in areas such as education and best practices. The SOS Fund will provide needed short-term benefits and industry momentum to help strengthen open source projects, Mozilla said.
The SOS Fund is intended to complement the Linux Foundation's Core Infrastructure Initiative, said Chris Riley, head of public policy at Mozilla. CII focuses on deeper investments into open source software that is used in critical applications, such as supporting infrastructure costs, development efforts, and governance. The SOS Fund's audits and remediation work aids open source software projects in the ecosystem with "lower-hanging fruit security needs," he said.
"To have substantial and lasting benefit, we need a broad range of solutions, including audits, education, best practices, and a host of others," Riley said.
As WhiteHat Security's Setu Kulkarni noted, The SOS Fund is a "step in the right direction," but it's not a stand-alone process. Security data needs to be incorporated into a risk-based application security program.
Sign up for CIO Asia eNewsletters.