Most active commenters
  • nicce(7)
  • arp242(4)

←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 27 comments | 25 Jun 25 19:36 UTC | HN request time: 2.063s | source | bottom
Show context
arp242 ◴[25 Jun 25 22:06 UTC] No.44382233[source]
A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

Things like "panics on certain content" like [1] or [2] are "security bugs" now. By that standard anything that fixes a potential panic is a "security bug". I've probably fixed hundreds if not thousands of "security bugs" in my career by that standard.

Barely qualifies as a "security bug" yet it's rated as "6.2 Moderate" and "7.5 HIGH". To say nothing of gazillion "high severity" "regular expression DoS" nonsense and whatnot.

And the worst part is all of this makes it so much harder to find actual high-severity issues. It's not harmless spam.

[1]: https://github.com/gomarkdown/markdown/security/advisories/G...

[2]: https://rustsec.org/advisories/RUSTSEC-2024-0373.html

replies(13): >>44382268 #>>44382299 #>>44382855 #>>44384066 #>>44384368 #>>44384421 #>>44384513 #>>44384791 #>>44385347 #>>44385556 #>>44389612 #>>44390124 #>>44390292 #
1. nicce ◴[25 Jun 25 22:11 UTC] No.44382268[source]
> A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

That is not true at all. Availability is also critical. If nobody can use bank accounts, bank has no purpose.

replies(5): >>44382300 #>>44382443 #>>44382474 #>>44382869 #>>44383755 #
2. bogeholm ◴[25 Jun 25 22:17 UTC] No.44382300[source]
Security and utility are separate qualities.

You’re correct that inaccessible money are useless, however one could make the case that they’re secure.

replies(4): >>44382341 #>>44382350 #>>44382887 #>>44383068 #
3. nicce ◴[25 Jun 25 22:26 UTC] No.44382341[source]
I think you are only considering the users - for the business provider the availability has larger meaning because the lack of it can bankrupt your business. It is about securing operations.
replies(3): >>44382398 #>>44382482 #>>44382532 #
4. marcusb ◴[25 Jun 25 22:27 UTC] No.44382350[source]
https://www.sentinelone.com/cybersecurity-101/cybersecurity/...
5. leni536 ◴[25 Jun 25 22:36 UTC] No.44382398{3}[source]
Virtually all bugs have some cost. Security bugs tend to be more expensive than others, but it doesn't mean that all very expensive bugs are security bugs.
6. antonymoose ◴[25 Jun 25 22:41 UTC] No.44382443[source]
I routinely handle regex DoS complaints on front-end input validation…

If a hacker wants to DoS their own browser I’m fine with that.

replies(2): >>44382485 #>>44382527 #
7. arp242 ◴[25 Jun 25 22:45 UTC] No.44382474[source]
Many of these issues are not the type of issues that will bring down an entire platform; most are of the "if I send wrong data, the server will return with a 500 for that request" or "my browser runs out of memory if I use a maliciously crafted regexp". Well, whoopdeedoo.

And even if it somehow could, it's 1) just not the same thing as "I lost all my money" – that literally destroys lives and the bank not being available for a day doesn't. And 2) almost every bug has the potential to do that in at least some circumstances – circumstances with are almost never true in real-world applications.

replies(1): >>44382589 #
8. em-bee ◴[25 Jun 25 22:46 UTC] No.44382482{3}[source]
not paying rent can get you evicted. and not paying your medical bill can get you denied care. (in china most medical care is not very expensive, but every procedure has to be paid in advance. you probably won't be denied emergency care so your life would not be in immediate danger, but sometimes an optional scan discovers something life threatening that you weren't aware of so not being able to pay for it can put you at risk)
9. Onavo ◴[25 Jun 25 22:46 UTC] No.44382485[source]
Until the same library for their "isomorphic" backend..
replies(1): >>44382895 #
10. nicce ◴[25 Jun 25 22:52 UTC] No.44382527[source]
This depends on the context to be fair. Front-end DoS can suddenly expand into botnet DDoS if you can trigger it by just serving a specific kind of URL. E.g. search goes into endless loop that makes requests into the backend.
replies(1): >>44384851 #
11. arp242 ◴[25 Jun 25 22:52 UTC] No.44382532{3}[source]
If a panic or null pointer deref in some library causes your entire business to go down long enough that you go bankrupt, then you probably deserve to go out of business because your software is junk.
replies(1): >>44382657 #
12. nicce ◴[25 Jun 25 23:00 UTC] No.44382589[source]
> Many of these issues are not the type of issues that will bring down an entire platform; most are of the "if I send wrong data, the server will return with a 500 for that request" or "my browser runs out of memory if I use a maliciously crafted regexp". Well, whoopdeedoo.

I wouldn't personally classify these as denial of service. They are just bugs. 500 status code does not mean that server uses more resources to process it than it typically does. OOMing your browser has no impact to others. These should be labeled correctly instead of downplaying the significance of denial of service.

Like I said in my other comment, there are two entities - the end-user and the service provider. The service provider/business loses money too when customers cannot make transactions (maybe they had promise to keep specific uptime and now they need to pay compensations). Or they simple get bankrupted because they lost their users.

Even customers may lose money or something else when they can't make transactions. Or maybe identification is based on bank credentials on some other service. The list goes on.

replies(1): >>44383552 #
13. nicce ◴[25 Jun 25 23:10 UTC] No.44382657{4}[source]
I believe you know well that bankrupt is the worst case. Many business functions can be so critical that 24h disturbance is enough to cause high financial damages or even loss of life. A bug in the car's brakes that prevents their usage is also denial of service.
replies(1): >>44382731 #
14. arp242 ◴[25 Jun 25 23:23 UTC] No.44382731{5}[source]
Or 24h disturbance. Or indeed taking the entire system down at all.

And no one is talking about safety-critical systems. You are moving the goalposts. Does a gas pedal use a markdown or XML parser? No.

replies(1): >>44383023 #
15. p1necone ◴[25 Jun 25 23:48 UTC] No.44382869[source]
I think it's context dependent whether DoS is on par with data loss/extraction, including whether it's actually a security issue or not. I would argue DoS for a bank (assuming it affects backend systems and not just the customer portal) would be a serious security issue given the kinds of things it could impact.
16. hsbauauvhabzb ◴[25 Jun 25 23:51 UTC] No.44382887[source]
Inability for drug dispensers to dispense life saving drugs due to DoS has failed utility and will cost lives, would you describe that as secure?
17. hsbauauvhabzb ◴[25 Jun 25 23:51 UTC] No.44382895{3}[source]
Server side rendering is all the rage again, so yeah it might be.
18. nicce ◴[26 Jun 25 00:12 UTC] No.44383023{6}[source]
The point was about the importance of availability.

> Does a gas pedal use a markdown or XML parser? No.

Cars in general use, extensively: https://en.wikipedia.org/wiki/AUTOSAR

replies(2): >>44383882 #>>44385743 #
19. burnt-resistor ◴[26 Jun 25 00:21 UTC] No.44383068[source]
Define what you mean by "security".

Control integrity, nonrepudiation, confidentiality, privacy, ...

Also, define what you mean by "utility" because there's inability to convert a Word document, inability to stop a water treatment plant from poisoning people, and ability to stop a fire requiring "utility".

20. bawolff ◴[26 Jun 25 01:55 UTC] No.44383552{3}[source]
> I wouldn't personally classify these as denial of service. They are just bugs. 500 status code does not mean that server uses more resources to process it than it typically does

Not necessarily. 500 might indicate the process died, which might take more resources to startup, have cold cache, whatever. If you spam that repeatedly it could easily take down the site.

I agree with your point broadly though that the risk of such things are grossly overstated, but i think we should be careful about going in the opposite direction too far.

replies(1): >>44383721 #
21. nicce ◴[26 Jun 25 02:28 UTC] No.44383721{4}[source]
> Not necessarily. 500 might indicate the process died, which might take more resources to startup, have cold cache, whatever. If you spam that repeatedly it could easily take down the site

That is true, but the status code 500 alone does not reveal that; it is speculation. Status codes are not always used correctly. It is typically just indicator to dig deeper. There might be a security issue, but the code itself is not enough.

Maybe this just the same general problem of false positives. Proving something requires more effort and more time and people tend to optimise things.

replies(1): >>44383877 #
22. SchemaLoad ◴[26 Jun 25 02:35 UTC] No.44383755[source]
If every single bug in libxml is a business ending scenario for the bank, then maybe the bank can afford to hire someone to work on those bugs rather than pestering a single volunteer.
23. bawolff ◴[26 Jun 25 03:07 UTC] No.44383877{5}[source]
True, but in the context of the article we are talking about null pointer dereference. That is almost certainly going to cause a segfault and require restarting the process.
24. int_19h ◴[26 Jun 25 03:10 UTC] No.44383882{7}[source]
Great, then we have someone with both resources and an incentive to write and maintain an XML parser with strict availability guarantees.
replies(1): >>44385769 #
25. talkin ◴[26 Jun 25 06:51 UTC] No.44384851{3}[source]
No. The Regex DoS class of bugs is about infinite backtracking or looping inside the regex engine. Completely isolated component, just hogging CPU inside the regex engine. It may also have ‘DoS’ in its name, but there’s no relation to network (D)DoS attacks.

It could still be a security error, but only if all availability errors are for that project. But after triage, the outcome is almost always “user can hang own browser on input which isn’t likely”. And yes, it’s a pity I wrote ‘almost’, which means having to check 99% false alarms.

26. fodkodrasz ◴[26 Jun 25 09:45 UTC] No.44385743{7}[source]
AUTOSAR xml-s are compile-time/integration time toolchain metadata mostly in my memory.

Yet this is off topic for the libxml funding/bug debate.

For embedded mission critical C libxml is surely unsuitable, just like 99.99% of the open source third party code. Also unneeded. If crashes the app on the developer machine or in the build pipeline if it runs out of memory? Who cares (from a safety point of view)? That has nothing to do with availability of safety critical systems in the car.

27. fodkodrasz ◴[26 Jun 25 09:49 UTC] No.44385769{8}[source]
Automotive companies pay big buck to vendors who supply certified tools/libraries, because getting stuff certified is lot of work/time. This also means that those stuff are often outdated, and a pain to work with, yet their vendors are not expected to function as charities, as often expected by FLOSS authors, esp. when releasing their code under BSD/MIT licenses and then getting eaten by the sharks.