Undefined Behaviour as usual
Undefined Behaviour as usual
Posted Feb 24, 2024 6:39 UTC (Sat) by jmspeex (subscriber, #51639)In reply to: Undefined Behaviour as usual by Otus
Parent article: Stenberg: DISPUTED, not REJECTED
Well, if you look at the issue being discussed, it was rated as severity 9.8/10. If you're going to give that rating for any integer overflow because (technically it's UB), then you have no room left for the scary stuff.
Posted Feb 24, 2024 11:30 UTC (Sat)
by Otus (subscriber, #67685)
[Link]
I don't really know what the correct severity would've been here, but the severity part has always been black magic. (I don't think those are particularly useful in practice.)
My point is simply that CVE isn't supposed to be exclusively for highest impact issues, but any vulnerabilities.
Undefined Behaviour as usual
I can easily believe that the severity was wrong. But shouldn't that then be fixed?