Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx

[Michael Orlitzky <michael () orlitzky com>]

On Fri, 2023-09-29 at 12:57 -0700, Travis Finkenauer wrote:
> Having a stable ABI has pros and cons. You are correct that Rust does not have
> a stable ABI by default (although you can you can opt into the C ABI per-type
> and per-function). A stable ABI is convenient because it lets you link to
> libraries compiled with different versions of a compiler. However, a stable ABI
> has performance implications. You are locked into that ABI even if you realize
> some decisions don't make sense in the future.
>
> ...
>
> I agree that it would be nice if Rust had a better story around dynamic
> linking. If your "product" is a single executable, then statically linking all
> of your Rust dependencies may not be a big deal. However, if you are
> distributing many binaries (such as in an OS image), then you would be
> building and packaging some libraries multiple times.

I'll focus on this as the portion most relevant to the list.

Any static linking is a big deal, because it embeds vulnerabilities
where no one is looking for them. It changes the complexity of
maintaining a secure system from something like O(n) to O(n*m), while
simultaneously making it impossible to automate. It also wastes space,
bandwidth, and CPU cycles -- but none of those are deal-breakers.


> There are workarounds like putting all of your Rust code in a single dynamic
> library, but that's obviously not ideal or always feasible. You can also avoid
> the Rust build tool "cargo" and directly compile dependencies to shared
> libraries with "rustc", but it's not easy to compile Rust code without "cargo".

This is the biggest problem. Cargo is the standard way to build rust
projects. Nobody is shipping a ./configure script for their rust
project. Cargo is what's documented. It's what everyone uses. It's
baked into all of the tools, the books, the domain names, the clever
puns. It's also a bundling tool.

Without ABI stability, the cargo approach was necessary to avoid
constant breakage. It's unreasonable to expect end users to track down
every rust program they're using and rebuild them all manually every
time a library is rebuilt with a newer version of rust. Instead, it was
decided that the blessed way to build and distribute rust projects
would be to bundle the world along with them.

Except, now, this is embarrassing: the only way for people to get
security updates is to track down every rust program they're using and
rebuild them all manually. This further presupposes that someone is
actually looking for security vulnerabilities in the old versions of
libraries bundled on everyone's systems. And that every rust upstream
is aware of every vulnerability in every dependency it bundles. None of
that happens.


> I'm not that familiar with Haskell, but in Rust when you
> specify a dependency "foo" version "1.2.3", you are not pinning directly to
> version "1.2.3". You are actually saying "I depend on 'foo' whose semantic
> version is compatible with 1.2.3". That means the dependency resolver may
> resolve "1.2.99" (patch fix) or "1.99.0" (minor version bump). Hence, you
> don't need to manually update your dependencies every time a new version is
> published.

All package managers have something similar. The problem is that when
the sole way to build and distribute software is to bundle everything
with it, who cares? Nobody is maintaining long-term-support branches
for any rust libraries. If someone wants the old API, no problem,
they're already bundling it!

Now imagine that someone wants to untangle this mess and use dynamic
linking to make security updates feasible again. They immediately
encounter diamond dependency conflicts, because no one has ever cared
to avoid them, because everyone builds rust projects with cargo,
because that's the only way to avoid breaking your whole system every
three weeks on rust release day. We're stuck at square one.

Memory issues are relatively hard to find and exploit. In the big
picture, mitigating them is a small part of what it takes to run a
secure system. A viable cure for memory issues therefore can't take a
dump on the way the rest of a secure system is managed.