HackerTrans
トップ新着トレンドコメント過去質問紹介求人

denhamparry

no profile record

投稿

Tarmageddon: RCE vulnerability highlights challenges of open source abandonware

edera.dev
25 ポイント·投稿者 denhamparry·9 か月前·1 コメント

Nscale raises the largest Series B in European history, at $1.1B

nscale.com
3 ポイント·投稿者 denhamparry·10 か月前·0 コメント

コメント

denhamparry
·9 か月前·議論
It is unlikely to have the bug as it sees more use, but it is worth checking. There have been previous CVEs with Pythons tar module.
denhamparry
·9 か月前·議論
It is possible to exploit this bug by crafting a file that has tar contents without a header, thus making it hard to detect even with recursive archives.
denhamparry
·9 か月前·議論
Thanks for the question!

Someone could release a malicious package that looks okay to a scanner tool, but when installed using uv can behave differently, allowing attackers to masquerade executable code.

In addition, for OCI images, it is possible to produce an OCI image that can overwrite layers in the tar file, or modify the index. This could be done in a way that is undetectable by the processor of the OCI image. Similar attacks can be done for tools that download libraries, binaries, or source code using the vulnerable parser, making a tar file that when inspected looks fine but when processed by a vulnerable tool, behaves differently.

I hope that answers your question?
denhamparry
·9 か月前·議論
I'm from Edera. If you have any questions please send them our way
denhamparry
·10 か月前·議論
Its a great blog post and loved the interactive elements around it