thisismissem, (edited )
@thisismissem@hachyderm.io avatar

Okay, have just submitted a PR to a fediverse project to fix a critical security vulnerability; CVE score is like 9.9/10.

More news once administrators of this servers using this project can upgrade safely.

Update: CVE was in @pixelfed, and the advisory is published here: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

paarth,
@paarth@pirate.lgbt avatar

@thisismissem @pixelfed that's kinda a horrifying vulnerability level

thisismissem,
@thisismissem@hachyderm.io avatar

@paarth @pixelfed indeed, it was very almost a 10/10 but required some minimal user interaction.

There'll be more information on the 25th when I make the full disclosure at 8pm-ish CEST.

paarth,
@paarth@pirate.lgbt avatar

@thisismissem @pixelfed I'm curious how it got caught/why it wasn't caught earlier, and whether older versions in the wild may still be affected. Though I imagine that may all have to wait until after 2/25?

thisismissem,
@thisismissem@hachyderm.io avatar

@paarth @pixelfed it got caught by me looking into the code whilst working on software for @iftas

Does it affect older versions? See the disclosure of the vulnerability.

devnull,
@devnull@crag.social avatar

@thisismissem @paarth @pixelfed @iftas It's important to give leeway to project maintainers here. In all cases, there is no malicious intent, just ignorance over esoteric aspects of the chosen language. itself contained a 10/10 0-day, and we were very thankful that it was reported and fixed quickly.

thisismissem,
@thisismissem@hachyderm.io avatar

@devnull @paarth @pixelfed it's not just that but sometimes in the thick of it working long hours solo on a project it can be possible to miss things.

This was very almost a 10/10, but required a little bit of user interaction in the past year to exercise.

thisismissem,
@thisismissem@hachyderm.io avatar

Have submitted confidentially pull requests that fix both their main branch and currently released version.

(yes, I manually backported the fix from main branch to their last release because the vulnerability is that critical to fix)

Awaiting response from the project maintainers now.

thisismissem,
@thisismissem@hachyderm.io avatar

Update: working with the maintainers to release a fix ASAP, but details of the vulnerability will be embargoed until admins have had a chance to upgrade.

thisismissem,
@thisismissem@hachyderm.io avatar

CVE number assigned! More news soon.

(It's my first numbered CVE 🥲)

janl,
@janl@narrativ.es avatar

@thisismissem mazel tov

thisismissem,
@thisismissem@hachyderm.io avatar

And here's the published security advisory: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

The vulnerability I found was indeed in @pixelfed, and I cannot understate how important it is for people to upgrade. Details will be embargoed until 25th February 2024.

devnull,
@devnull@crag.social avatar

@thisismissem congratulations may feel out of place, but it's a remarkable achievement to get your first numbered CVE 😄

thisismissem,
@thisismissem@hachyderm.io avatar

@devnull yeah, it's something I'm both proud of and happy that I fixed.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • ngwrru68w68
  • DreamBathrooms
  • khanakhh
  • magazineikmin
  • InstantRegret
  • ethstaker
  • thenastyranch
  • Youngstown
  • rosin
  • slotface
  • osvaldo12
  • everett
  • kavyap
  • Durango
  • megavids
  • cubers
  • tester
  • GTA5RPClips
  • modclub
  • mdbf
  • cisconetworking
  • tacticalgear
  • Leos
  • normalnudes
  • anitta
  • provamag3
  • JUstTest
  • lostlight
  • All magazines
    •