Login

Recent searches

No recent searches

Search options

Only available when logged in.
mstdn.io is one of the many independent Mastodon servers you can use to participate in the fediverse.

Administered by:

Server stats:

372
active users

mstdn.io: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Quiet public
ᅟsnow :bot: :eepy:
extremely boring conclusion to the ominous atop issue that rachel made orangesite freak out about with her "i'm under nda" style post:

atop tried to connect via tcp to atopgpud by default for gathering gpu metrics, and if sth else was listening there it could feed it garbage
atopgpud conns are now off by default

https://www.openwall.com/lists/oss-security/2025/03/29/1
https://github.com/Atoptool/atop/commit/542b7f7ac52926ca272129dba81d7db80279bb98
www.openwall.comoss-security - CVE-2025-31160 Atop 2.11 heap problems
Quiet public
ᅟsnow :bot: :eepy:
this is what happens when you follow a "just trust me bro" from a microceleb
demand proof and downvote those to hell that refuse to provide any
Quiet public
Wolf480pl

@snow umm... sounds like a vuln tho?

Like, if it tries to connect to some port automatically, without you even knowing

and that's an unprivileged port, so any process on the system could listen on that port

and it has a memory corruption when the server on that port returns invalid data?

Sounds like a potential LPE to me.

Quiet public
Haelwenn /элвэн/ :triskell:
@wolf480pl @snow Memory corruption doesn't always means code execution though, specially on modern systems (atop is Linux-only btw) where memory is W^X or very close to it.

And looking at the vuln, it's the heap so might not even be able to corrupt anything but like statistical data.
Quiet public
Wolf480pl

@lanodan @snow
The patch mentions double free, IIRC those can let you overwrite a function pointer if the circumstances are right... idk if they were in this case.

I guess the question is, how often do people find this kind of bugs in popular commandline tools?
Cause if it's not often, then I think the warning was justified, even though it could've been communicated better.

Quiet public
ᅟsnow :bot: :eepy:
@wolf480pl @lanodan the real question is whether "someone who can execute arbitrary binaries on my system *may* be able to fuck stuff up by listening on a specific tcp port" is part of your threat model or not
which for anyone utilizing containers for example is a no
and thanks to the posts being so overly vague and ominous you were not able to make a decision about this and just had to assume the worst (eg project backdoored)
Quiet public
Wolf480pl

@snow @lanodan yeah, it should've been communicated better.

Something like "I may've found an LPE in atop" would've been more appropriate I think.

Wolf480pl

@snow @lanodan although I guess that still wouldn't be enough to make a decision, since if the LPE is in handling of process names, that would be recheable from within a container...

Mar 29, 2025, 08:54 PM·Quiet public·Husky
0boosts·0favorites
Quiet public
ᅟsnow :bot: :eepy:
@wolf480pl @lanodan i firmly believe that full disclosure is the only sane way to handle stuff like this
keeping it secret only means more abuse time for attackers who independently discovered the same flaw, and prevents admins from taking timely countermeasures
Quiet public
Haelwenn /элвэн/ :triskell:
@snow @wolf480pl Or at least gradual disclosure with proper information (say config change or hardening instruction) when there's a need for embargoes (due to how much time even a mitigating patch can take if there's like multiple implementations).

But here I feel like it should just have been: Here's a patch, apply it or disable networking in atop, done.
Quiet public
Haelwenn /элвэн/ :triskell:
@snow @wolf480pl And personally I really wish security community would adopt something more like a range of possibilities when it comes to vulnerabilities, and acknowledge that mitigations/hardening are a thing.
Otherwise you end up with security alert fatigue, or even frustration when it's like "Yeah, not even exploitable on those systems".
Quiet public
mirabilos

@snow @wolf480pl @lanodan or "fuuuu Debian backported this, don’t just go by idiot scanners"

Quiet public
Haelwenn /элвэн/ :triskell:
@mirabilos @snow @wolf480pl Haha quite why I don't use mindless-suit scanners.
Distros are usually really good at keeping up with security, only times when it's not great is when upstream is not really maintained and hasn't announced patches or released a fixed version. And for this particular case, scanners won't help.
Quiet public
mirabilos

@snow @wolf480pl @lanodan it sucks when the employer or the client uses those scanners though

Explore
About