If your @rustlang code uses std::mem::uninitialized() and can panic while referencing uninitialized memory, it's a potential security vulnerability:https://twitter.com/RustSec/status/1151587254990602240 …
-
-
I would lean toward not even issuing security advisories for stuff like this, but if we have to then I think we should specify the severity. e.g.:
-
• Very Low: No known vulnerable code, code exec does not seem possible • Low: No known vulnerable code but RCE thereoretically possible OR only DoS possible in the wild • Medium and above: Known vulnerable code, RCE at least theoretically possible
- 10 more replies
New conversation -
-
-
Here's an alternative which may allow us to eliminate false positives for this sort of advisory:https://twitter.com/RustSec/status/1153825729324339200 …
-
Yes! This is very cool. I’m really glad to see work done in the area of “fuzzing procedure calls implemented with unsafe code”. Syzkaller is in the same vein. All languages should have this infrastructure. JVM should have a JNI fuzzer; likewise C# and PInvoke, Python, etc.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.