Conversation

Notices

1. Embed this notice
   Wolf480pl (wolf480pl@mstdn.io)'s status on Monday, 04-Mar-2024 21:45:57 JST Wolf480pl

   CVSS scores are such bullshit!

   > if you use this Rust library in a clearly wrong way, you will be able to introduce UB into your program without using the `unsafe` keywors
   > also this library is a pain to use

   CVSS 9.8 critical!

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Monday, 04-Mar-2024 21:45:56 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @wolf480pl yeah for me CVSS ought to be dropped for better metadata like tags, where there you could /dev/null anything about undefined_behavior (let's be honest, doesn't matters outside of static analysis).

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Monday, 04-Mar-2024 21:56:07 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @wolf480pl Plus like, in practice, if the issue is your *library* getting exploited by code in the application, you've lost by design, there's *no* isolation between ~modules.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Monday, 04-Mar-2024 21:56:08 JST Wolf480pl

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan a sufficiently ceative compiler can turn any UB into an RCE, but like... researchers should be required to show a PoC of that RCE

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Monday, 04-Mar-2024 22:05:53 JST Wolf480pl

     in reply to

     • Glitch

     @glitch it's more of a "language marketed as idiot-proof turns out to not be idiot-proof"

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Glitch (glitch@pl.glitch.pm)'s status on Monday, 04-Mar-2024 22:05:55 JST Glitch

     in reply to
     @wolf480pl is this the rust version of "regex DDoS attack in nodejs library"?
   • Embed this notice
     iced depresso (icedquinn@blob.cat)'s status on Sunday, 10-Mar-2024 08:14:24 JST iced depresso

     in reply to
     @wolf480pl i feel like at some point people are going to learn that rust code on the wire is just as unsafe as C code, given the safeties exist up in the borrow checker and not in the libraries.