Hacker News new | past | comments | ask | show | jobs | submit login

IIRC, all the recent sudo vulns are logic errors, not memory safety. I mean, rewrite away but let's not pretend that there couldn't be some new bug introduced due to a misunderstanding of how something works or just a plain old mistake.



2021: https://nvd.nist.gov/vuln/detail/CVE-2021-3156

2019: https://nvd.nist.gov/vuln/detail/CVE-2019-18634


Fair point with the second one but for the first off by one is a logic error still?


It was a logic error... that led to a memory safety error, which resulted in a privilege escalation vulnerability.

Just because the source is a logic error doesn't mean the end result can't be bad when combined with a lack of memory safety.


> let's not pretend that there couldn't be some new bug introduced due to a misunderstanding of how something works or just a plain old mistake.

Is anyone doing that? I see a lot of claims of memory safety, but as far as I can see the project isn’t saying other types of bugs are for sure eliminated.


That's fair and i support that but it does not address historical bug patterns that may be a design issue.


In the same way a new memory bug could be introduced to the original sudo. Shrinking the attack surface with static checks seems like a better deal in the long run.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: