Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

How to deal with libc crate bugs? #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Shnatsel opened this issue Sep 7, 2019 · 5 comments
Closed

How to deal with libc crate bugs? #154

Shnatsel opened this issue Sep 7, 2019 · 5 comments

Comments

@Shnatsel
Copy link
Member

Shnatsel commented Sep 7, 2019

Here is a buffer overflow in libc: rust-lang/libc#1501

However, it is exceedingly unlikely that anyone would actually write code that actually makes it exploitable, i.e. manipulates the len in that struct based on an attacker-controlled value.

libc is a transitive dependency of everything ever, so if we file an advisory we would spam people and cause a lot of churn for an issue that's unlikely to be triggered in practice. On the other hand, this leaves a potential vulnerability unreported. Thoughts?

@tarcieri
Copy link
Member

tarcieri commented Sep 7, 2019

Capturing nuances like low exploitability is something I was hoping to do with CVSS scores, although they're not supported in any current cargo-audit release, and for that to be useful here we'd have to set a default severity threshold which would ignore these sorts of advisories, making them of dubious value.

Beyond that, it's the sort of thing it'd be nice to have a call graph analysis for: rustsec/rustsec#89

@Shnatsel
Copy link
Member Author

Shnatsel commented Sep 7, 2019

I would not rely too much on graph analysis because people will need to analyze binaries as well (in fact I expect that to become the primary consumption mode of rustsec eventually) and call graph analysis on compiled binaries is impossible.

@alex
Copy link
Member

alex commented Sep 7, 2019 via email

@Shnatsel
Copy link
Member Author

Shnatsel commented Sep 7, 2019

Github is great, but github is not where the software is being actually used. Updating github sources doesn't actually fix any binaries that people actually run. And tracking down the exact source for whatever you're running is much too cumbersome for people to bother. Hence rust-audit.

I imagine this audit model will get a boost from e.g. cloud providers scanning people's Docker containers and VM images.

@pinkforest
Copy link
Contributor

I'll convert this to discussion as we got these old Issues - keen to get them cleaned up and this seems like something we can not act on too much with any advisory.

@rustsec rustsec locked and limited conversation to collaborators Aug 13, 2022
@pinkforest pinkforest converted this issue into discussion #1347 Aug 13, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants