A recent memory corruption security vulnerability in OpenSSL’s punycode parser has sparked questions in the security community about the lack of a fuzzer for the punycode parser and if lessons from Heartbleed have been learned. While giving developers the benefit of the doubt, there is already a fuzz testing harness for the X.509 in OpenSSL’s source code. However, the code for “verify_chain” and “build_chain” was not covered enough by the X.509 fuzzer, requiring modifications to reach them. Suggestions include developing separate parsers for functions and improving coverage for X509_verify_cert. The process is intricate and involves utilizing tools like the Introspector. Thanks to Hanno and colleagues for inspiration and assistance.
http://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html