hanno on Nostr: I contacted the responsible project, but I never got an answer and never really got ...
I contacted the responsible project, but I never got an answer and never really got to the bottom of this. But here's what I think happened: This was a proof of concept file for a yet unfixed and undisclosed vulnerability. It appears the developer already had a testcase for that bug in his local copy of the source tree. And then created the tarball from that source tree. And by doing that leaked a PoC for a zeroday. FWIW, it was "only" a DoS bug. But still.
Published at
2024-03-29 21:17:15Event JSON
{
"id": "d1e5433255f4bc85567e155ec94acad41b3ccc5b354f3e5fcbbd7e88be62a4db",
"pubkey": "81399f0766981ade02ea2340eeb20f619f4d4a78a08dbfa35f36703f944d5992",
"created_at": 1711747035,
"kind": 1,
"tags": [
[
"p",
"81399f0766981ade02ea2340eeb20f619f4d4a78a08dbfa35f36703f944d5992"
],
[
"e",
"93ca04141b549e7c912330f376816ee7c7cd18a7fd593e18bc634c9535371d16",
"",
"root"
],
[
"e",
"e95a673a825b1e7bcefeffa1a2c31fc627b81ceba19cef7d95818457887529e7",
"",
"reply"
],
[
"proxy",
"https://mastodon.social/users/hanno/statuses/112181053715662946",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/hanno/statuses/112181053715662946",
"pink.momostr"
]
],
"content": "I contacted the responsible project, but I never got an answer and never really got to the bottom of this. But here's what I think happened: This was a proof of concept file for a yet unfixed and undisclosed vulnerability. It appears the developer already had a testcase for that bug in his local copy of the source tree. And then created the tarball from that source tree. And by doing that leaked a PoC for a zeroday. FWIW, it was \"only\" a DoS bug. But still.",
"sig": "632d76f467411a3900d825bdf4ef60bff20488e11218ab4c4230f8aab6492fe05e4f77b095a10b85893bcd62c7b30c0c9c17696fe6e8d29a718d874b77793aef"
}
