A sanitization bug in a 50+-year-old simulator doesn't seem to qualify as "common" in any kind of usual usage. The simulator is not used to run tapes provided by untrusted users over the Internet.
by Anonymous Coward writes:
on Sunday May 16, 2021 @12:04PM (#61390432)
Filling it up with trivial bugs in 50-year-old programs that don't represent any kind of security flaw sure makes for an effective way to harm the common good.
OTOH giving a universally understood unique identifier to a particular vulnerability (even a purely theoretical one like this) makes the vulnerability easier to refer to, and therefore easier to discuss and learn from. There is some benefit to that.
When and where did Minsky advertise this simulator for use in security applications?
Three things are required to make this into a vulnerability: (a) actually running it, 50+ years after it was first published, (2) on third-party input with incorrect sanitization and some assumption about what would actually happen, (iii) with some security implication from the unexpected execution. The context that provides those conditions -- especially (2) and (iii) -- is where the vulnerability is actually introduced.
Filling it up with trivial bugs in 50-year-old programs that don't represent any kind of security flaw sure makes for an effective way to harm the common good.
None of your reply seems to address that the "C" in the name stands for "Common", as the original post claimed wasn't applicable to the name.
I'd also advise you to stop searching for specific vulnerabilities you admit you don't want to see. Your complaint is a problem of your own making, despite being so offtopic.
It may be "common" in the sense of "a shared list", but it is certainly not a vulnerability or exposure. Congratulations, it gets a score of 16.67% on satisfying the definition of "CVE"!
It is a very safe bet that anyone commenting on this did not search for the CVE, but instead found it shit-posted to the front page of Slashdot. Stop being such a fucking tool.
There is no time like the present for postponing what you ought to be doing.
CVE? As in Common Vulnerability and Exposure? (Score:0)
A sanitization bug in a 50+-year-old simulator doesn't seem to qualify as "common" in any kind of usual usage. The simulator is not used to run tapes provided by untrusted users over the Internet.
Re: (Score:5, Informative)
A sanitization bug in a 50+-year-old simulator doesn't seem to qualify as "common" in any kind of usual usage.
It's not the bug that is common, it's the list that's in common, as in the sense of a public good.
Re:CVE? As in Common Vulnerability and Exposure? (Score:0)
Filling it up with trivial bugs in 50-year-old programs that don't represent any kind of security flaw sure makes for an effective way to harm the common good.
Re: CVE? As in Common Vulnerability and Exposure? (Score:2)
OTOH giving a universally understood unique identifier to a particular vulnerability (even a purely theoretical one like this) makes the vulnerability easier to refer to, and therefore easier to discuss and learn from. There is some benefit to that.
Re: (Score:0)
When and where did Minsky advertise this simulator for use in security applications?
Three things are required to make this into a vulnerability: (a) actually running it, 50+ years after it was first published, (2) on third-party input with incorrect sanitization and some assumption about what would actually happen, (iii) with some security implication from the unexpected execution. The context that provides those conditions -- especially (2) and (iii) -- is where the vulnerability is actually introduced.
Re: (Score:1)
Filling it up with trivial bugs in 50-year-old programs
Your definition of "Filling it up" does not match the definition used by the rest of the world.
Rest assured, the thing you are concerned about is not happening.
Re: (Score:0)
Filling it up with trivial bugs in 50-year-old programs that don't represent any kind of security flaw sure makes for an effective way to harm the common good.
None of your reply seems to address that the "C" in the name stands for "Common", as the original post claimed wasn't applicable to the name.
I'd also advise you to stop searching for specific vulnerabilities you admit you don't want to see.
Your complaint is a problem of your own making, despite being so offtopic.
Re: (Score:0)
It may be "common" in the sense of "a shared list", but it is certainly not a vulnerability or exposure. Congratulations, it gets a score of 16.67% on satisfying the definition of "CVE"!
It is a very safe bet that anyone commenting on this did not search for the CVE, but instead found it shit-posted to the front page of Slashdot. Stop being such a fucking tool.