there was a situation last year when we had to think about this -- a core API was thought to be broken (it wasn't) because there were memory issues in that API showing up very rarely in Firefox crash reports
Legit question: When Rust accidentally permits a program with memory unsafety, should that have a CVE?
-
-
-
Assuming that panned out, the bigger question for me is whether that would be a CVE in Firefox, or the language that promised to prevent it in the first place (or both). But then that leads to the question of should it be a CVE for the language even if no app was known affected
- 6 more replies
New conversation -
-
-
I've thought about this/ talked with rust peeps. The CVE would be for any vulnerable code - so projects would issue CVEs so that downstream consumers would be notified. But this leaves a gap between rust soundness hole -> projects. CVEs are the wrong fit - need something else.
-
Is it though? CVEs are for informing you that your application/server might be vulnerable. If your application is compiled with 1.26.0-1.27.0, you might be vulnerable.
- 4 more replies
New conversation -
-
-
I think all the CVEs are used up. I have several friends who participate recreational fuzzing and they can't seem to get them anymore.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
depends, imo too permissive borrowck? nah the fact that float casts have UB? yeh
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.