HackerTrans
TopNewTrendsCommentsPastAskShowJobs

DDiggler

no profile record

comments

DDiggler
·2 năm trước·discuss
Meanwhile in Arch land (possibly other distros as well), the fwupd package (which I imagine to be a fairly common package to be installed among the user base) has been silently configured to depend on passim, which spins up an open web server on 0.0.0.0:27500[1] without any(!) explicit user consent whatsover. Passim then uses GnuTLS, which is famous for containing more holes than Swiss cheese [2][3].

Absolutely insane to me, and I would not be surprised if there's an xz type of exploit hidden somewhere in the chain.

[1]: https://github.com/fwupd/fwupd/issues/6721

[2]: https://news.ycombinator.com/item?id=7347500

[3]: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gnutls
DDiggler
·2 năm trước·discuss
>friendly adjacent neighbors

As a Finn I laughed out loud.
DDiggler
·2 năm trước·discuss
The "verification" downloads the file twice... seems like one could easily make a custom HTTP server to change the second consecutive response to a malicious one.