←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 3 comments | 25 Jun 25 19:36 UTC | HN request time: 0.746s | source
Show context
otikik ◴[26 Jun 25 08:15 UTC] No.44385287[source]
I think they are not going far enough.

"All null-pointer-referencing issues should come with an accompanying fix pull request".

replies(2): >>44385352 #>>44385551 #
tzs ◴[26 Jun 25 08:25 UTC] No.44385352[source]
So if I find a null pointer dereference issue in something written in a language I don’t know, I shouldn’t report it because I can’t include a fix?
replies(1): >>44385374 #
1. otikik ◴[26 Jun 25 08:29 UTC] No.44385374[source]
If you don't know the language, why are you reporting null pointers?
replies(1): >>44385503 #
2. tzs ◴[26 Jun 25 08:54 UTC] No.44385503[source]
Because the program crashed and the crash dump showed a null pointer dereference, and I found some inputs that reproduce it 100%, so I thought this might be useful to the developer?
replies(1): >>44385760 #
3. otikik ◴[26 Jun 25 09:47 UTC] No.44385760[source]
In the context of libxml it does sound that for every hypothetical person like you that there's going to be 20 "security researchers" like the ones the article is mentioning; just running automated tools and trying to use security issues as a way to promote themselves.

If getting rid of your input gets rid of the other 20 issues, I would take it.