Undefined Behaviour as usual

Posted Feb 24, 2024 15:40 UTC (Sat) by mcatanzaro (subscriber, #93033)
In reply to: Undefined Behaviour as usual by wtarreau
Parent article: Stenberg: DISPUTED, not REJECTED

> This is exactly the type of generic analysis that focuses on pure theory and neither on code nor use cases that made CVEs totally useless over the years and harms software development and security in general by making reports not trustable anymore.

But it's also correct. Signed integer overflow is a software vulnerability. It doesn't matter whether it's exploitable or not. CVEs are for tracking vulnerabilities, not exploits.

Undefined Behaviour as usual

Posted Feb 25, 2024 23:33 UTC (Sun) by neggles (subscriber, #153254) [Link] (2 responses)

If CVEs aren't for exploits why is the E there, then?

Undefined Behaviour as usual

Posted Feb 26, 2024 1:15 UTC (Mon) by tialaramex (subscriber, #21167) [Link] (1 responses)

Because they're an Enumeration? This idea comes out of the paper "Towards a Common Enumeration of Vulnerabilities"

Undefined Behaviour as usual

Posted Feb 26, 2024 9:07 UTC (Mon) by geert (subscriber, #98403) [Link]

https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_...