How to deal with libc crate bugs?

[Shnatsel]

Here is a buffer overflow in libc: rust-lang/libc#1501

However, it is exceedingly unlikely that anyone would actually write code that actually makes it exploitable, i.e. manipulates the len in that struct based on an attacker-controlled value.

libc is a transitive dependency of everything ever, so if we file an advisory we would spam people and cause a lot of churn for an issue that's unlikely to be triggered in practice. On the other hand, this leaves a potential vulnerability unreported. Thoughts?

[tarcieri]

Capturing nuances like low exploitability is something I was hoping to do with CVSS scores, although they're not supported in any current cargo-audit release, and for that to be useful here we'd have to set a default severity threshold which would ignore these sorts of advisories, making them of dubious value.

Beyond that, it's the sort of thing it'd be nice to have a call graph analysis for: rustsec/rustsec#89

[Shnatsel]

I would not rely too much on graph analysis because people will need to analyze binaries as well (in fact I expect that to become the primary consumption mode of rustsec eventually) and call graph analysis on compiled binaries is impossible.

[alex]

Not to drag us off topic, but why do you thin binary-based analysis will be the main way this data is used? I imagine static analysis provided by platforms by github will be significantly more common.

…

On Sat, Sep 7, 2019 at 10:05 AM Shnatsel ***@***.***> wrote: I would not rely too much on graph analysis because people will need to analyze binaries as well (in fact I expect that to become the primary consumption mode of rustsec eventually) and call graph analysis on compiled binaries is impossible. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#154>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAAGBBEC75FX2MCPP5M75TQIO7KFANCNFSM4IUPLNTQ> .

-- All that is necessary for evil to succeed is for good people to do nothing.

[Shnatsel]

Github is great, but github is not where the software is being actually used. Updating github sources doesn't actually fix any binaries that people actually run. And tracking down the exact source for whatever you're running is much too cumbersome for people to bother. Hence rust-audit.

I imagine this audit model will get a boost from e.g. cloud providers scanning people's Docker containers and VM images.

[pinkforest]

I'll convert this to discussion as we got these old Issues - keen to get them cleaned up and this seems like something we can not act on too much with any advisory.