sudo-rs' first security audit - Ferrous Systems (ferrous-systems.com)
from snaggen@programming.dev to rust@programming.dev on 06 Nov 2023 18:21
https://programming.dev/post/5499439

#rust

threaded - newest

BB_C@programming.dev on 07 Nov 2023 06:02 next collapse

Should have told the auditors that stripping symbols is stupid and counterproductive instead of playing along. That segfault a user managed to hit once and only once with their self-built binary, and that useless core file that was left behind, shall hunt you in your dreams forever.

And I love how that commit was merged with the comment “A further reduced binary size! 🎉”. Exhibit number #5464565465767 why caring that much about “dependency bloat” and binary sizes always was, and always will be, a result of collective mania in action.

Rustmilian@lemmy.world on 07 Nov 2023 07:08 collapse

but removing these symbols might make reverse engineering of the binary harder.

That’s the dumbest reasoning ever.

fil@programming.dev on 07 Nov 2023 07:51 collapse

Conspiracy theory: the workgroup found an RCE vulnerability and assigned it identifier CLN-002 but never disclosed it to public and instead sold it to (CIA|DHL|MiB)