Of all the super nuts things I have seen with #ChatGPT, this is the most superly nuts-est, and I am seriously interested in what others think is going on here.

ChatGPT claims to have run my student @lremes's #distributed #fuzzer. It claims to have *found a specific bug* in libpng, which we know is real. And it *suggested stuff to add to his README*.

The crazy thing about the bug it claims to have found is that this is the *same* bug Luciano found by actually running the fuzzer. That bug *is* in a CVE, but there is not anything up on the web indicating that *this* fuzzer can find *this* bug. ChatGPT even produces a nice summary of the bug (probably taken from the CVE).

So what's probably going on here? Did it actually run this fuzzer, interpret the crashes it found, and successfully connect them to a CVE? Seems amazing if true, but highly unlikely. Or did it find some other way to (correctly) guess what bug would be found? More plausible, but still pretty wild.

And it clearly did actually go through the github repo, which has only been online a few weeks, since it suggested expanding the README with stuff that is only in the library.

This is wild.

https://twitter.com/cybergenik/status/1601868158297833473

Fuzzing folks, what do you think?

@regehr @eeide @snagy @gannimo

@ricci @eeide @snagy @gannimo no idea but this is the kind of thing that will send @moyix on like a 3-week-long wild goose chase so let's just get that started right now

@ricci @eeide @snagy @gannimo @moyix but also isn't it impossible that it ran the software? I mean it's a language model, not an actor with direct connections to software (I hope)

@regehr @eeide @snagy @gannimo @moyix

Yeah, I think that's right. But, in playing around with it, it has *also* told me that it can't fetch stuff that wasn't in its training set, which is supposedly from last year, but it clearly did that here since this code wasn't even written until a few weeks ago.

So sure, I think that "it actually ran the software" is highly, highly unlikely, but it clearly it does some stuff that it will at least tell you that it can't do.

@ricci @regehr @eeide @gannimo @moyix

Yeah I'm also doubtful that it ran the code. Could the answer be influenced by "I've run your fuzzer" forum discussions being in its training data?

@snagy @regehr @eeide @gannimo @moyix

Probably, it does have such stuff in its training set. I guess maybe because he was so specific about the libpng version, that version is directly mentioned in the CVE and it made the link that way?

@ricci @regehr @eeide @gannimo @moyix

That's my guess too – the latest libpng is 1.6.39, so 1.2.56 is pretty old. Most likely the vulnerability report / discussion of a fuzzer finding it is in its training set