Legit question: When Rust accidentally permits a program with memory unsafety, should that have a CVE?
-
there was a situation last year when we had to think about this -- a core API was thought to be broken (it wasn't) because there were memory issues in that API showing up very rarely in Firefox crash reports
Assuming that panned out, the bigger question for me is whether that would be a CVE in Firefox, or the language that promised to prevent it in the first place (or both). But then that leads to the question of should it be a CVE for the language even if no app was known affected
-
-
It would not have been a CVE for firefox most likely because it seemed unexploitable But it could have been. It would have been a CVE for rust and some applications using it where that API was user-facing in a way that *was* exploitable
-
Gotcha. So do you think the two match_default_binding issues are at all justifiable for one?
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.