[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'


Yes. We discussed on a Board call and decided to discontinue assignment 
for undefined behavior issues.


-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Art Manion
Sent: Thursday, July 6, 2017 3:12 PM
To: Carsten Eiram <che@riskbasedsecurity.com>; Adinolfi, Daniel R 
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Current standards/criteria for 'Undefined Behavior'

On 5/11/17 7:19 AM, Carsten Eiram wrote:
> I hope the new MITRE CVE team realizes they are in a minority of 
> people in this industry, who actually consider such issues as being 
> CVE worthy by default or even security-relevant without some proof of 
> there being a
> (realistic) security impact.

> We do not disagree that issues leading to undefined behaviour 
> _theoretically_ have a security impact. Rarely is it ever proven, 
> though. In fact, I don't think Agostino Sarubbo (or Hanno for that 
> matter) has proven a single of the UBSan issues, which he has 
> reported 
> many of, actually did have a real-world impact.

Some in-depth UB analysis:


Was the conclusion that CVE IDs would *not* be assigned for UB, unless 
there was reasonable evidence of a security impact?

  - Art

Page Last Updated or Reviewed: July 07, 2017