Legit question: When Rust accidentally permits a program with memory unsafety, should that have a CVE?
-
I've thought about this/ talked with rust peeps. The CVE would be for any vulnerable code - so projects would issue CVEs so that downstream consumers would be notified. But this leaves a gap between rust soundness hole -> projects. CVEs are the wrong fit - need something else.
Is it though? CVEs are for informing you that your application/server might be vulnerable. If your application is compiled with 1.26.0-1.27.0, you might be vulnerable.
-
-
Maybe? I agree that there must be some way of notifying developers of soundness issues - I've always felt that "l-unsound" is far too hidden.
-
For a rust CVE, I think a stronger requirement is needed. Not just 'we might not have checked your code well enough' but that this could be effectively exploited by (say) some malicious third-party code you used, to do things you were relying on the check to prevent.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.