←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 7 comments | 25 Jun 25 19:36 UTC | HN request time: 0.001s | source | bottom
Show context
arp242 ◴[25 Jun 25 22:06 UTC] No.44382233[source]
A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

Things like "panics on certain content" like [1] or [2] are "security bugs" now. By that standard anything that fixes a potential panic is a "security bug". I've probably fixed hundreds if not thousands of "security bugs" in my career by that standard.

Barely qualifies as a "security bug" yet it's rated as "6.2 Moderate" and "7.5 HIGH". To say nothing of gazillion "high severity" "regular expression DoS" nonsense and whatnot.

And the worst part is all of this makes it so much harder to find actual high-severity issues. It's not harmless spam.

[1]: https://github.com/gomarkdown/markdown/security/advisories/G...

[2]: https://rustsec.org/advisories/RUSTSEC-2024-0373.html

replies(13): >>44382268 #>>44382299 #>>44382855 #>>44384066 #>>44384368 #>>44384421 #>>44384513 #>>44384791 #>>44385347 #>>44385556 #>>44389612 #>>44390124 #>>44390292 #
icedchai ◴[25 Jun 25 22:17 UTC] No.44382299[source]
Everything is a "security bug" in the right (wrong?) context, I suppose.
replies(1): >>44382581 #
1. cogman10 ◴[25 Jun 25 22:59 UTC] No.44382581[source]
Well, that's sort of the problem.

It's true that once upon a time, libxml was a critical path for a lot of applications. Those days are over. Protocols like SOAP are almost dead and there's not really a whole lot of new networking applications using XML in any sort of manor.

The context where these issues could be security bugs is an ever-vanishing usecase.

Now, find a similar bug in zlib or zstd and we could talk about it being an actual security bug.

replies(4): >>44383188 #>>44383685 #>>44383777 #>>44385767 #
2. fires10 ◴[26 Jun 25 00:45 UTC] No.44383188[source]
SOAP is used far more than most people realize. I deal extensively in "cutting edge" industries that rely heavily on SOAP or SOAP based protocols. Supply chain systems and manufacturing.
replies(1): >>44388327 #
3. betaby ◴[26 Jun 25 02:22 UTC] No.44383685[source]
> there's not really a whole lot of new networking applications using XML in any sort of manor.

Quite the opposite. NETCONF is XML https://en.wikipedia.org/wiki/NETCONF and all modern ISP/Datacenter routers/switches have it underneath and most of the time as a primary automation/orchestration protocol.

4. monocasa ◴[26 Jun 25 02:40 UTC] No.44383777[source]
Unfortunately stuff like SAML is XML.

That being said, I don't think that libxml2 has support for the dark fever dream that is XMLDSig, which SAML depends on.

5. tzs ◴[26 Jun 25 09:49 UTC] No.44385767[source]
Aside from heavy use in the healthcare, finance, banking, retail, manufacturing, transportation, logistics, telecommunications, automotive, publishing, and insurance industries, w̶h̶a̶t̶ ̶h̶a̶v̶e̶ ̶t̶h̶e̶ ̶R̶o̶m̶a̶n̶s̶ who uses XML?
replies(1): >>44386472 #
6. cogman10 ◴[26 Jun 25 11:49 UTC] No.44386472[source]
I think you (and others) are misconstruing what I'm saying.

I'm not saying XML is unused.

I'm saying that the specific space where it's use can cause security problems from things like a DDOS are rare.

A legacy backend system that consumes XML docs isn't at risk of a malicious attacker injecting DDOS docs.

When XML is used for data interchange, it's typically only in circumstances where trusted parties are swapping XML docs. Where it's not typically being used is the open Internet. You aren't going to find many new rest endpoints emitting or consuming XML.

And the reason it's being used is primarily legacy. The format and parser are static. Swapping them out would be disruptive and gives few benefits.

That's what it means for something to increasingly become irrelevant. When new use slows or stops and development is primarily on legacy.

7. TheCoelacanth ◴[26 Jun 25 15:25 UTC] No.44388327[source]
But in scenarios where the person generating the XML is untrusted?

I'm aware of plenty of usage of SOAP, but only between companies that have contractual relationships with each other and who could easily sue each other if one of them tried to exploit a security bug.

That greatly mitigates the risk of a security bug being exploited, especially something like a DOS attack that is easily noticed.