HackerTrans
TopNewTrendsCommentsPastAskShowJobs

denhamparry

no profile record

Submissions

Tarmageddon: RCE vulnerability highlights challenges of open source abandonware

edera.dev
25 points·by denhamparry·vor 9 Monaten·1 comments

Nscale raises the largest Series B in European history, at $1.1B

nscale.com
3 points·by denhamparry·vor 10 Monaten·0 comments

comments

denhamparry
·vor 9 Monaten·discuss
It is unlikely to have the bug as it sees more use, but it is worth checking. There have been previous CVEs with Pythons tar module.
denhamparry
·vor 9 Monaten·discuss
It is possible to exploit this bug by crafting a file that has tar contents without a header, thus making it hard to detect even with recursive archives.
denhamparry
·vor 9 Monaten·discuss
Thanks for the question!

Someone could release a malicious package that looks okay to a scanner tool, but when installed using uv can behave differently, allowing attackers to masquerade executable code.

In addition, for OCI images, it is possible to produce an OCI image that can overwrite layers in the tar file, or modify the index. This could be done in a way that is undetectable by the processor of the OCI image. Similar attacks can be done for tools that download libraries, binaries, or source code using the vulnerable parser, making a tar file that when inspected looks fine but when processed by a vulnerable tool, behaves differently.

I hope that answers your question?
denhamparry
·vor 9 Monaten·discuss
I'm from Edera. If you have any questions please send them our way
denhamparry
·vor 10 Monaten·discuss
Its a great blog post and loved the interactive elements around it