this post was submitted on 27 Jun 2024
1 points (55.6% liked)

Pulse of Truth

333 readers
2 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 1 year ago
MODERATORS
[email protected]
1
Majority of Critical Open Source Projects Contain Memory Unsafe Code (www.infosecurity-magazine.com)
submitted 4 months ago by [email protected] to c/[email protected]
2 comments fedilink hide all child comments
 

A CISA analysis in collaboration with international partners concluded most critical open source projects potentially contain memory safety vulnerabilities

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 4 months ago (1 children)

The fuck are you on about

The headline is not what the article says at all

written in a memory-unsafe language

The report concluded that most critical open source projects potentially contain memory safety vulnerabilities. This is a result of direct use of memory unsafe languages or external dependency on projects that use memory-unsafe languages.

Emphasis on “potentially” is mine

Quite a lot more than 55% of projects have an external dependency on projects that use memory unsafe languages. Aside from a certain amount of Go or Rust projects that manage to avoid any dependency that drops down into C to expose some library at some point, I think it’s all of them.

[–] [email protected] 1 points 4 months ago

Not sure if that is even the point. The article is all about memory unsafe programming!!1!. But there is no context at all.

Sure, there are vulnerabilities because of unsafe memory handling. But I looked for some statistic which would bring unsafe memory handling into context with say the high profile vulnerabilities from the last few weeks / months. I haven't spent too much time on research but looking at some lists containing vulns from the last few months it seems as if all those pre-auth, priv escalation, directory traversal and whatnot very based on much simpler failures like wrong error handling or logical errors or missing code than unsafe memory handling.

I might be wrong, then please show me the numbers, but shooting at C/C++ because unsafe!!1! sounds like a very biased story there.

And while we are at it. I'd also be interested in C vs. (somewhat modern) C++.