1. 13
    1. 1

      We don’t want to get submissions for every CVE and, if we do get CVEs, we probably want them tagged security.

      1. 16

        while I agree with you in this case, I don’t particularly like the “I speak for everyone” stance you seem to be taking here.

        1. 9

          This one is somewhat notable for being the first (?) RCE in Rust, a very safety-focused language. However, the CVE entry itself is almost useless, and the previously-linked blog post (mentioned by @Freaky) is a much better article to link and discuss.

          1. 4

            Second. There was a security vulnerability affecting rustdoc plugins.

        2. 4

          Do you think an additional CVE tag would make sense? Given there’s upvotes some people seem to be interested.

          1. 2

            That’d be a good meta tag proposal thread.

          2. 4

            Yeah, I’d rather not have them at all. Maybe a detailed, tech write-up of discovery, implementation, and mitigation of new classes of vulnerability with wide impact. Meltdown/Spectre or Return-oriented Programming are examples. Then, we see only the deep stuff with vulnerability-listing sites having the regular stuff for people using that stuff.

            1. 5

              seems like a CVE especially arbitrary code execution is worth posting. my 2 cents

              1. 5

                There are a lot of potentially-RCE bugs (type confusion, use after free, buffer overflow write), if there was a lobsters thread for each of them, there’d be no room for anything else.

                Here’s a list a short from the past year or two, from one source: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type%3DBug-Security+label%3AStability-Memory-AddressSanitizer&sort=-modified&colspec=ID+Type+Component+Status+Library+Reported+Owner+Summary+Modified&cells=ids

                1. 2

                  i’m fully aware of that. What I was commenting on was Rust having one of these RCE-type bugs, which, to me, is worthy of discussion. I think its weird to police these like their some kind of existential threat to the community, especially given how much enlightenment can be gained by discussion of their individual circumstances.

                  1. [Comment removed by author]

                    1. 4

                      Rust is not and never claimed to be perfect. On the other hand, Rust is and claims to be better than C++ with respect to security vulnerabilities.

                      1. 0

                        It claims few things - from the rustlang website:

                        Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.

                        None of those claims are really true.

                        It’s clearly not fast enough if you need unsafe to get real performance - which is the reason this cve was possible.

                        It’s clearly not preventing segfaults - which this cve shows.

                        It also can’t prevent deadlocks so it is not guaranteeing thread safety.

                        I like rustlang but the claims it makes are mostly incorrect or overblown.

                        1. 2

                          Unsafe Rust is part of Rust. I grant you that “safe Rust is blazingly fast” may not be “really true”.

                          Rust prevents segfaults. It just does not prevent all segfaults. For example, a DOM fuzzer was run on Chrome and Firefox and found segfaults, but the same fuzzer run for the same time on Servo found none.

                          I grant you on deadlocks. But “Rust prevents data race” is true.

                      2. 2

                        I’m just going to link my previous commentary: https://lobste.rs/s/7b0gab/how_rust_s_standard_library_was#c_njpoza