←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 5 comments | 25 Jun 25 19:36 UTC | HN request time: 0.209s | source
Show context
DeepYogurt ◴[25 Jun 25 21:52 UTC] No.44382139[source]
It'd be great if some of these open source security initiatives could dial up the quality of reports. I've seen so so many reports for some totally unreachable code and get a cve for causing a crash. Maintainers will argue that user input is filtered elsewhere and the "vuln" isn't real, but mitre don't care.
replies(3): >>44382170 #>>44382407 #>>44382413 #
mschuster91 ◴[25 Jun 25 21:57 UTC] No.44382170[source]
> I've seen so so many reports for some totally unreachable code and get a cve for causing a crash.

There have been a lot of cases where something once deemed "unreachable" eventually was reachable, sometimes years later, after a refactoring and now there was an issue.

replies(2): >>44382232 #>>44383832 #
DeepYogurt ◴[25 Jun 25 22:06 UTC] No.44382232[source]
At what rate though? Is it worth burning out devs we as a community rely upon because maybe someday 0.000001% of these bugs might have real impact? I think we need to ask more of these "security researchers". Either provide a real world attack vector or start patching these bugs along with the reports.
replies(2): >>44382273 #>>44382336 #
1. bigfatkitten ◴[25 Jun 25 22:12 UTC] No.44382273[source]
“PoC or GTFO” is an entirely reasonable response.
replies(3): >>44382466 #>>44382698 #>>44384612 #
2. marcusb ◴[25 Jun 25 22:45 UTC] No.44382466[source]
Also a wonderful zine!
3. duped ◴[25 Jun 25 23:18 UTC] No.44382698[source]
"PR or payment to fix or GTFO" is also a reasonable response
4. codedokode ◴[26 Jun 25 06:08 UTC] No.44384612[source]
I wouldn't bother to write PoC because it is a waste of time and it is faster to fix the potential bug rather than figure out what conditions are necessary to turn it into a vulnerability. I think that we all should stop writing PoCs for bugs and spend the lifetime for something more useful.
replies(1): >>44385332 #
5. mschuster91 ◴[26 Jun 25 08:21 UTC] No.44385332[source]
That's not easy though, especially not for large and old code bases. As an outsider doing occasional bugfixes when I spot issues in an open-source project, I don't have the time to dig into how exactly I need to set up my computer to even have a minimum viable build setup, adhere to each project's different code standards, deal with the bullshit called "Contributor License Agreement" and associated paperwork, or wrap my head around how this specific project does testing and pipelines.

What I can and will do however is write a bug ticket that says what I think the issue is, where my closest suspicion is that causes the issue, and provide either a reproduction or a bugfix patch. Dealing with the remainder of the bureaucracy however is what I do not see as my responsibility.