HackerTrans
TopNewTrendsCommentsPastAskShowJobs

denhamparry

no profile record

Submissions

Tarmageddon: RCE vulnerability highlights challenges of open source abandonware

edera.dev
25 points·by denhamparry·9 माह पहले·1 comments

Nscale raises the largest Series B in European history, at $1.1B

nscale.com
3 points·by denhamparry·10 माह पहले·0 comments

comments

denhamparry
·9 माह पहले·discuss
It is unlikely to have the bug as it sees more use, but it is worth checking. There have been previous CVEs with Pythons tar module.
denhamparry
·9 माह पहले·discuss
It is possible to exploit this bug by crafting a file that has tar contents without a header, thus making it hard to detect even with recursive archives.
denhamparry
·9 माह पहले·discuss
Thanks for the question!

Someone could release a malicious package that looks okay to a scanner tool, but when installed using uv can behave differently, allowing attackers to masquerade executable code.

In addition, for OCI images, it is possible to produce an OCI image that can overwrite layers in the tar file, or modify the index. This could be done in a way that is undetectable by the processor of the OCI image. Similar attacks can be done for tools that download libraries, binaries, or source code using the vulnerable parser, making a tar file that when inspected looks fine but when processed by a vulnerable tool, behaves differently.

I hope that answers your question?
denhamparry
·9 माह पहले·discuss
I'm from Edera. If you have any questions please send them our way
denhamparry
·10 माह पहले·discuss
Its a great blog post and loved the interactive elements around it