Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/isotopp/statuses/114227935897858407">Kris (isotopp@infosec.exchange)'s status on Wednesday, 26-Mar-2025 20:52:11 JST</a><a href="https://infosec.exchange/@isotopp" title="isotopp@infosec.exchange"><img src="https://gnusocial.jp/avatar/283617-48-20241231005446.webp" width="48" height="48" alt="Kris" style="position: absolute; left: 0; top: 0;">Kris</a><div><a href="https://infosec.exchange/@0xabad1dea/114227476091716735" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://infosec.exchange/@0xabad1dea">@0xabad1dea</a> </p><p>Summary of the HN discussion so far</p><ul><li>I trust Rachel and I am uninstalling</li><li>Use btop</li><li>Is that installed anywhere by default?</li><li>Why is she so vague?</li></ul><p>and <a href="https://news.ycombinator.com/item?id=43478866" rel="nofollow">https://news.ycombinator.com/item?id=43478866</a>, <a href="https://github.com/Atoptool/atop/blame/037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc/rawlog.c#L554-L556" rel="nofollow">https://github.com/Atoptool/atop/blame/037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc/rawlog.c#L554-L556</a>, 14 years ago, which I would not less pass in a code review today.</p><p>This ends up being a call to execl() to a binary without a path, and a sh with interpolation inbetween. It should be a call to execve() with a clean env, and a path to a binary, sans sh.</p><p>If this is run as root in a suid binary, it would be not good.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4794647#notice-9393665">In conversation</a><time datetime="2025-03-26T20:52:11+09:00" title="Wednesday, 26-Mar-2025 20:52:11 JST">about 20 days ago</time> <span>from <span><a href="https://infosec.exchange/@isotopp/114227935897858407" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@isotopp/114227935897858407">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: news.ycombinator.com</div><h5><a href="https://news.ycombinator.com/item?id=43478866">No one else seems to have run 'grep system(', so I will: https://github.com/Atop... | Hacker News</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/Atoptool/atop/blame/037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc/rawlog.c#L554-L556">Blaming atop/rawlog.c at 037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc · Atoptool/atop</a></h5><div></div></header><div>System and process monitor for Linux. Contribute to Atoptool/atop development by creating an account on GitHub.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Kris (isotopp@infosec.exchange)'s status on Wednesday, 26-Mar-2025 20:52:11 JSTKris
in reply to
- abadidea
@0xabad1dea
Summary of the HN discussion so far
- I trust Rachel and I am uninstalling
- Use btop
- Is that installed anywhere by default?
- Why is she so vague?
and https://news.ycombinator.com/item?id=43478866, https://github.com/Atoptool/atop/blame/037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc/rawlog.c#L554-L556, 14 years ago, which I would not less pass in a code review today.
This ends up being a call to execl() to a binary without a path, and a sh with interpolation inbetween. It should be a call to execve() with a clean env, and a path to a binary, sans sh.
If this is run as root in a suid binary, it would be not good.
In conversationabout 20 days ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: news.ycombinator.com
  No one else seems to have run 'grep system(', so I will: https://github.com/Atop... | Hacker News
2. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  Blaming atop/rawlog.c at 037a6d3e4ace6c7be6c5dcf0c286c013e3c884cc · Atoptool/atop
  System and process monitor for Linux. Contribute to Atoptool/atop development by creating an account on GitHub.

Public

Embed Notice

HTML Code

Corresponding Notice