←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 2 comments | 25 Jun 25 19:36 UTC | HN request time: 0.477s | source
Show context
arp242 ◴[25 Jun 25 22:06 UTC] No.44382233[source]
A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

Things like "panics on certain content" like [1] or [2] are "security bugs" now. By that standard anything that fixes a potential panic is a "security bug". I've probably fixed hundreds if not thousands of "security bugs" in my career by that standard.

Barely qualifies as a "security bug" yet it's rated as "6.2 Moderate" and "7.5 HIGH". To say nothing of gazillion "high severity" "regular expression DoS" nonsense and whatnot.

And the worst part is all of this makes it so much harder to find actual high-severity issues. It's not harmless spam.

[1]: https://github.com/gomarkdown/markdown/security/advisories/G...

[2]: https://rustsec.org/advisories/RUSTSEC-2024-0373.html

replies(13): >>44382268 #>>44382299 #>>44382855 #>>44384066 #>>44384368 #>>44384421 #>>44384513 #>>44384791 #>>44385347 #>>44385556 #>>44389612 #>>44390124 #>>44390292 #
icedchai ◴[25 Jun 25 22:17 UTC] No.44382299[source]
Everything is a "security bug" in the right (wrong?) context, I suppose.
replies(1): >>44382581 #
cogman10 ◴[25 Jun 25 22:59 UTC] No.44382581[source]
Well, that's sort of the problem.

It's true that once upon a time, libxml was a critical path for a lot of applications. Those days are over. Protocols like SOAP are almost dead and there's not really a whole lot of new networking applications using XML in any sort of manor.

The context where these issues could be security bugs is an ever-vanishing usecase.

Now, find a similar bug in zlib or zstd and we could talk about it being an actual security bug.

replies(4): >>44383188 #>>44383685 #>>44383777 #>>44385767 #
1. fires10 ◴[26 Jun 25 00:45 UTC] No.44383188[source]
SOAP is used far more than most people realize. I deal extensively in "cutting edge" industries that rely heavily on SOAP or SOAP based protocols. Supply chain systems and manufacturing.
replies(1): >>44388327 #
2. TheCoelacanth ◴[26 Jun 25 15:25 UTC] No.44388327[source]
But in scenarios where the person generating the XML is untrusted?

I'm aware of plenty of usage of SOAP, but only between companies that have contractual relationships with each other and who could easily sue each other if one of them tried to exploit a security bug.

That greatly mitigates the risk of a security bug being exploited, especially something like a DOS attack that is easily noticed.