Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/joeyh/statuses/112180728041948162">see shy jo (joeyh@hachyderm.io)'s status on Saturday, 30-Mar-2024 08:23:52 JST</a><a href="https://hachyderm.io/@joeyh" title="joeyh@hachyderm.io"><img src="https://gnusocial.jp/avatar/158711-48-20230808185707.webp" width="48" height="48" alt="see shy jo" style="position: absolute; left: 0; top: 0;">see shy jo</a><div><a href="https://hachyderm.io/@joeyh/112180715824680521" rel="in-reply-to">in reply to</a></div></section><article><p>We don't need any of the changes they made to xz. xz from 2021 was fine.</p><p>They did make commits that claimed to fix an integer overflow, apparently legitimately. So they were deep into analyzing xz security at that point.<br><a href="https://github.com/tukaani-project/xz/commit/18d7facd3802b55c287581405c4d49c98708c136" rel="nofollow noreferrer">https://github.com/tukaani-project/xz/commit/18d7facd3802b55c287581405c4d49c98708c136</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879926#notice-5722050">In conversation</a><time datetime="2024-03-30T08:23:52+09:00" title="Saturday, 30-Mar-2024 08:23:52 JST">about 8 months ago</time> <span>from <span><a href="https://hachyderm.io/@joeyh/112180728041948162" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@joeyh/112180728041948162">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/tukaani-project/xz/commit/18d7facd3802b55c287581405c4d49c98708c136">liblzma: lzma_index_append: Add missing integer overflow check. · tukaani-project/xz@18d7fac</a></h5><div></div></header><div>The documentation in src/liblzma/api/lzma/index.h suggests that
both the unpadded (compressed) size and the uncompressed size
are checked for overflow, but only the unpadded size was checked.
The u...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
see shy jo (joeyh@hachyderm.io)'s status on Saturday, 30-Mar-2024 08:23:52 JST see shy jo
in reply to
We don't need any of the changes they made to xz. xz from 2021 was fine.
They did make commits that claimed to fix an integer overflow, apparently legitimately. So they were deep into analyzing xz security at that point.
https://github.com/tukaani-project/xz/commit/18d7facd3802b55c287581405c4d49c98708c136
In conversationabout 8 months ago from hachyderm.iopermalink
Attachments
1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  liblzma: lzma_index_append: Add missing integer overflow check. · tukaani-project/xz@18d7fac
  The documentation in src/liblzma/api/lzma/index.h suggests that both the unpadded (compressed) size and the uncompressed size are checked for overflow, but only the unpadded size was checked. The u...

Public

Embed Notice

HTML Code

Corresponding Notice