[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current standards/criteria for 'Undefined Behavior'

On 5/11/17 7:19 AM, Carsten Eiram wrote:
I hope the new MITRE CVE team realizes they are in a minority of people 
this industry, who actually consider such issues as being CVE worthy by
default or even security-relevant without some proof of there being a
(realistic) security impact.

We do not disagree that issues leading to undefined
behaviour _theoretically_ have a security impact. Rarely is it ever 
though. In fact, I don't think Agostino Sarubbo (or Hanno for that 
has proven a single of the UBSan issues, which he has reported many of,
actually did have a real-world impact.

Some in-depth UB analysis:


Was the conclusion that CVE IDs would *not* be assigned for UB, unless 
there was reasonable evidence of a security impact?

 - Art

Page Last Updated or Reviewed: July 07, 2017