Conversation
Notices
-
Embed this notice
snow :bot: (collector's edition ✨) (snow@cofe.rocks)'s status on Sunday, 30-Mar-2025 04:22:00 JST 
snow :bot: (collector's edition ✨)
extremely boring conclusion to the ominous atop issue that rachel made orangesite freak out about with her "i'm under nda" style post:
atop tried to connect via tcp to atopgpud by default for gathering gpu metrics, and if sth else was listening there it could feed it garbage
atopgpud conns are now off by default
https://www.openwall.com/lists/oss-security/2025/03/29/1
https://github.com/Atoptool/atop/commit/542b7f7ac52926ca272129dba81d7db80279bb98-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 30-Mar-2025 04:21:57 JST 
Haelwenn /элвэн/ :triskell:
@snow I think the only ones I'd somewhat believe on "uninstall $x" will little justification would be few rare system developers / packagers that know the difference between "CVE!!!" and "This is exploited in the wild / will be trivially exploited the day it's disclosed", and even then I'd probably just harden/check-hardening and then wait for the first patches/disclosure.
Meanwhile Rachel is comparatively "literally who". -
Embed this notice
snow :bot: (collector's edition ✨) (snow@cofe.rocks)'s status on Sunday, 30-Mar-2025 04:21:59 JST
snow :bot: (collector's edition ✨)
this is what happens when you follow a "just trust me bro" from a microceleb
demand proof and downvote those to hell that refuse to provide any -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 30-Mar-2025 04:37:51 JST
Haelwenn /элвэн/ :triskell:
@wolf480pl @snow Memory corruption doesn't always means code execution though, specially on modern systems (atop is Linux-only btw) where memory is W^X or very close to it.
And looking at the vuln, it's the heap so might not even be able to corrupt anything but like statistical data. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 30-Mar-2025 04:37:52 JST 
Wolf480pl
@snow umm... sounds like a vuln tho?
Like, if it tries to connect to some port automatically, without you even knowing
and that's an unprivileged port, so any process on the system could listen on that port
and it has a memory corruption when the server on that port returns invalid data?
Sounds like a potential LPE to me.
-
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 30-Mar-2025 05:58:06 JST
Wolf480pl
@lanodan @snow
The patch mentions double free, IIRC those can let you overwrite a function pointer if the circumstances are right... idk if they were in this case.I guess the question is, how often do people find this kind of bugs in popular commandline tools?
Cause if it's not often, then I think the warning was justified, even though it could've been communicated better. -
Embed this notice
snow :bot: (collector's edition ✨) (snow@cofe.rocks)'s status on Sunday, 30-Mar-2025 05:58:06 JST
snow :bot: (collector's edition ✨)
@wolf480pl @lanodan the real question is whether "someone who can execute arbitrary binaries on my system *may* be able to fuck stuff up by listening on a specific tcp port" is part of your threat model or not
which for anyone utilizing containers for example is a no
and thanks to the posts being so overly vague and ominous you were not able to make a decision about this and just had to assume the worst (eg project backdoored)Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 30-Mar-2025 06:04:40 JST
Haelwenn /элвэн/ :triskell:
@snow @wolf480pl Or at least gradual disclosure with proper information (say config change or hardening instruction) when there's a need for embargoes (due to how much time even a mitigating patch can take if there's like multiple implementations).
But here I feel like it should just have been: Here's a patch, apply it or disable networking in atop, done. -
Embed this notice
snow :bot: (collector's edition ✨) (snow@cofe.rocks)'s status on Sunday, 30-Mar-2025 06:04:42 JST
snow :bot: (collector's edition ✨)
@wolf480pl @lanodan i firmly believe that full disclosure is the only sane way to handle stuff like this
keeping it secret only means more abuse time for attackers who independently discovered the same flaw, and prevents admins from taking timely countermeasures -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 30-Mar-2025 06:04:43 JST
Wolf480pl
@snow @lanodan yeah, it should've been communicated better.
Something like "I may've found an LPE in atop" would've been more appropriate I think.
-
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 30-Mar-2025 06:04:43 JST
Wolf480pl
@snow @lanodan although I guess that still wouldn't be enough to make a decision, since if the LPE is in handling of process names, that would be recheable from within a container...
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 30-Mar-2025 06:08:58 JST
Haelwenn /элвэн/ :triskell:
@snow @wolf480pl And personally I really wish security community would adopt something more like a range of possibilities when it comes to vulnerabilities, and acknowledge that mitigations/hardening are a thing.
Otherwise you end up with security alert fatigue, or even frustration when it's like "Yeah, not even exploitable on those systems".
-
Embed this notice
All GNU social JP content and data are available under the