With some compiler changes (that are being backed out to give broken code some more time to get fixed), ancient crossbeam::queue SIGILLs because it causes UB by calling mem::zeroed or mem::uninitialized the wrong way. A fixed version is out for 7 months but some projects are updating only now that they have to. Is it appropriate to file an advisory to make people upgrade, or is that not how advisories are supposed to be used? We have no information on exploitability or severity, all we know is "there is UB" (and I am not really interested in spending lots of time to figure out how bad the UB is).
The crossbeam 0.4 versions are broken, and crossbeam-queue 0.1 seems fixed. Which version of crossbeam itself is the first to be fixed I don't know (@stjepang ?)
(There was another bug fixed by crossbeam 0.4.1, but that does not seem to be the same one -- crates using 0.4.1 still saw SIGILLs.)
Personally, I don't think it's right to file an advisory unless we think it's actually a security issu
fair. but I will also note that once I found that some code is UB or is unsound (lets safe code trigger UB), I see my "job" done. whether that is exploitable in any way -- basically coming up with an exploit -- is not even a formally well-defined question, it is a very practical question concerned with what exactly the compiler happens to (not) do. it is not an interesting question to me. I have little expertise in that area and I think I have better ways to spend my time.
I am not saying you should change your policy, I am just informing you that there is a gap here and that this will mean I am unlikely to file many advisories even if I find lots of UB and some of it is actually security-relevant.
maybe there are people interested in closing that gap? I'd be happy to leave a note somewhere any time I find UB, and I'd be happy to explain the what and why and where, so should someone be interested they can see if this justifies an advisory or not.
did these versions of crossbeam_queue pull in the memoffset that had a notice recently? i feel like they did but could be wrong. if they do then anybody who follows the notices already will have updated, i think
hm, good question
yes, seems like they did. crossbeam 0.4 -> crossbeam-epoch 0.5 -> memoffset 0.2
so people following advisories are already warned. good :)
@RalfJ unless it's a security issue, I'd imagine yanking would be better, but if the memoffset stuff did it vicariously, great