Hi Adrian,
I am the author of httpdirfs. Do you reckon I should just remove ubsan,
or should I add asan into the Makefile? I reckon I should just remove
ubsan.
Best wishes,
Fufu
On Tue, 2023-02-21 at 21:41 +0200, Adrian Bunk wrote:
> Package: httpdirfs
> Version: 1.2.4-1
> Severity: serious
> Tags: security
> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
>
> Package: httpdirfs
> Version: 1.2.4-2
> Depends: ..., libubsan1 (>= 8), ...
>
>
> This is a bad idea not only due to slower execution,
> but might even introduce vulnerabilities:
> https://www.openwall.com/lists/oss-security/2016/02/17/9
>
> While there are safe usages of ubsan, httpdirfs being the
> only package in the archive that uses ubsan but not asan
> is something that sounds wrong and underreviewed.
>
