daniel:// stenberg://Mar 7

Looking back at all (now) published vulnerabilities in #curl that were present in code from 2020 until now, at no point in those years was the share of "C mistakes" higher than 15% of all vulns.

Through all years, the C mistake share of all vulnerabilities in #curl was never above 45% at any single point in history.

Show threadspinnyspinlockMar 7
@bagder do you have in mind some interesting or unexpected C ones? only for my curiosity/learning, nothing serious
Show threaddaniel:// stenberg://Mar 7
@spinnyspinlock we've only had two severity HIGH CVEs in #curl within the last five years, both of them were C mistakes: https://curl.se/docs/CVE-2023-38545.html and https://curl.se/docs/CVE-2021-22901.html
curl - SOCKS5 heap buffer overflow - CVE-2023-38545

Show threadspinnyspinlock
@bagder CVE-2021-22901 was exactly the kind of interesting vulnerability I wanted to see, thank you! well done on the good security track record too :)
Mar 7 at 10:30pmWeb
Show threadChristian HuitemaMar 7
@spinnyspinlock @bagder Sanitizers are only as good as code coverage. If code is not exercised when the sanitizer runs, the bug will not be detected.
Show threadMartin UeckerMar 8
@huitema @spinnyspinlock @bagder What I started to do experimentally is use the sanitizers to insert traps and then see if that the optimizer removes the check. This can be used to prove that certain properties (covered by certain sanitizers) are statically fulfilled. Would need more work on tooling though.