Bug#1031744: httpdirfs: usage of ubsan might introduce vulnerabilities
On Thu, Feb 23, 2023 at 01:49:49AM +, Fufu Fang wrote: > Hi Adrian, > I have pushed a commit to Github which removes the usage of UBSAN. I am > happy to go with this method. > > Do let me know if you prefer ASAN to be added alongside UBSAN, rather > than simply removing UBSAN. Enabling ASAN makes it even worse, so this was correct. > Best wishes, > Fufu Thanks Adrian
Bug#1031744: httpdirfs: usage of ubsan might introduce vulnerabilities
Hi Adrian, I have pushed a commit to Github which removes the usage of UBSAN. I am happy to go with this method. Do let me know if you prefer ASAN to be added alongside UBSAN, rather than simply removing UBSAN. Best wishes, Fufu
Bug#1031744: httpdirfs: usage of ubsan might introduce vulnerabilities
Hi Adrian, I am the author of httpdirfs. Do you reckon I should just remove ubsan, or should I add asan into the Makefile? I reckon I should just remove ubsan. Best wishes, Fufu On Tue, 2023-02-21 at 21:41 +0200, Adrian Bunk wrote: > Package: httpdirfs > Version: 1.2.4-1 > Severity: serious > Tags: security > X-Debbugs-Cc: Debian Security Team > > Package: httpdirfs > Version: 1.2.4-2 > Depends: ..., libubsan1 (>= 8), ... > > > This is a bad idea not only due to slower execution, > but might even introduce vulnerabilities: > https://www.openwall.com/lists/oss-security/2016/02/17/9 > > While there are safe usages of ubsan, httpdirfs being the > only package in the archive that uses ubsan but not asan > is something that sounds wrong and underreviewed. >
Bug#1031744: httpdirfs: usage of ubsan might introduce vulnerabilities
Package: httpdirfs Version: 1.2.4-1 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team Package: httpdirfs Version: 1.2.4-2 Depends: ..., libubsan1 (>= 8), ... This is a bad idea not only due to slower execution, but might even introduce vulnerabilities: https://www.openwall.com/lists/oss-security/2016/02/17/9 While there are safe usages of ubsan, httpdirfs being the only package in the archive that uses ubsan but not asan is something that sounds wrong and underreviewed.