atop tried to connect via tcp to atopgpud by default for gathering gpu metrics, and if sth else was listening there it could feed it garbage atopgpud conns are now off by default
@snow I think the only ones I'd somewhat believe on "uninstall $x" will little justification would be few rare system developers / packagers that know the difference between "CVE!!!" and "This is exploited in the wild / will be trivially exploited the day it's disclosed", and even then I'd probably just harden/check-hardening and then wait for the first patches/disclosure. Meanwhile Rachel is comparatively "literally who".
@wolf480pl@snow Memory corruption doesn't always means code execution though, specially on modern systems (atop is Linux-only btw) where memory is W^X or very close to it.
And looking at the vuln, it's the heap so might not even be able to corrupt anything but like statistical data.
@lanodan@snow The patch mentions double free, IIRC those can let you overwrite a function pointer if the circumstances are right... idk if they were in this case.
I guess the question is, how often do people find this kind of bugs in popular commandline tools? Cause if it's not often, then I think the warning was justified, even though it could've been communicated better.
@wolf480pl@lanodan the real question is whether "someone who can execute arbitrary binaries on my system *may* be able to fuck stuff up by listening on a specific tcp port" is part of your threat model or not which for anyone utilizing containers for example is a no and thanks to the posts being so overly vague and ominous you were not able to make a decision about this and just had to assume the worst (eg project backdoored)
@snow@wolf480pl Or at least gradual disclosure with proper information (say config change or hardening instruction) when there's a need for embargoes (due to how much time even a mitigating patch can take if there's like multiple implementations).
But here I feel like it should just have been: Here's a patch, apply it or disable networking in atop, done.
@wolf480pl@lanodan i firmly believe that full disclosure is the only sane way to handle stuff like this keeping it secret only means more abuse time for attackers who independently discovered the same flaw, and prevents admins from taking timely countermeasures
@snow@lanodan although I guess that still wouldn't be enough to make a decision, since if the LPE is in handling of process names, that would be recheable from within a container...
@snow@wolf480pl And personally I really wish security community would adopt something more like a range of possibilities when it comes to vulnerabilities, and acknowledge that mitigations/hardening are a thing. Otherwise you end up with security alert fatigue, or even frustration when it's like "Yeah, not even exploitable on those systems".