←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.21s | source
Show context
DeepYogurt ◴[25 Jun 25 21:52 UTC] No.44382139[source]
It'd be great if some of these open source security initiatives could dial up the quality of reports. I've seen so so many reports for some totally unreachable code and get a cve for causing a crash. Maintainers will argue that user input is filtered elsewhere and the "vuln" isn't real, but mitre don't care.
replies(3): >>44382170 #>>44382407 #>>44382413 #
mschuster91 ◴[25 Jun 25 21:57 UTC] No.44382170[source]
> I've seen so so many reports for some totally unreachable code and get a cve for causing a crash.

There have been a lot of cases where something once deemed "unreachable" eventually was reachable, sometimes years later, after a refactoring and now there was an issue.

replies(2): >>44382232 #>>44383832 #
canyp ◴[26 Jun 25 02:56 UTC] No.44383832[source]
And whose fault is it? The person who gave their work for free, or the parasitic company that shipped a product with it?
replies(1): >>44386921 #
1. mschuster91 ◴[26 Jun 25 12:49 UTC] No.44386921[source]
Often enough such issues also affect a lot of downstream open-source software.