Classification of unsoundness as a vulnerability in GHSA-cq8v-f236-94qc

[xtqqczze]

I’m trying to understand the rationale behind publishing this advisory as a security vulnerability in the GitHub Advisory Database:

From what I can see, the issue describes a case of unsound behavior (i.e., a violation of Rust’s safety guarantees leading to potential undefined behavior), but not a demonstrated or practical security exploit.

References:

• GHSA-cq8v-f236-94qc
• Prepare v0.10.1: deprecate feature log #1763

[dhardy]

I agree with the conclusion. As for whether rustsec should support publication of soundness advisories, I don't know; it may not be the best approach but I do not consider it my position to decide on the matter (in this case I asked @tarcieri how to handle the issue).

Shall I close this issue? At this point there's nothing left to do but apply patches (where desired).

[xtqqczze]

I’ve raised this here: rustsec/advisory-db#2572 (comment)

[xtqqczze]

@dhardy This doesn’t appear to be a RustSec issue. Could you open an issue on the GitHub Advisory Database (https://github.com/github/advisory-database) to request its removal?

[dhardy]

I'd prefer to let RustSec handle this internally since it appears they do wish to track unsound-code advisories. See github/advisory-database#7418.