Interesting. The vulnerability is a TOCTOU one that I have a paper about:
https://www.researchgate.net/publication/2462817_Checking_for_Race_Conditions_in_File_Accesses?_tp=eyJjb250ZXh0Ijp7InBhZ2UiOiJzY2llbnRpZmljQ29udHJpYnV0aW9ucyIsInByZXZpb3VzUGFnZSI6bnVsbH19
But it is in a function that gossip isn't triggering . Gossip uses tempdir 0.3.7 which relies on an old remove_dir_all crate with the bug. But we don't call any remove directory functionality in tempdir, and tempdir hasn't been updated. So we are safe and can't even update right now if we wanted to.
Mike Dilger ☑️ /
npub1ac…9p35c
2025-06-05 03:21:11
in reply to nevent1q…p89w
Author Public Key
npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35cPublished at
2025-06-05 03:21:11Event JSON
{
"id": "33655c94e7d1b2469fbc213b2531c840df9ca6ad3b976858209de3334b3c34e4",
"pubkey": "ee11a5dff40c19a555f41fe42b48f00e618c91225622ae37b6c2bb67b76c4e49",
"created_at": 1749093671,
"kind": 1,
"tags": [
[
"p",
"c3caba20313ab8a447d9aae50f45ef505a8454c5748f60e0ce013541f80e20f2"
],
[
"e",
"9858f4e71e4ff62120c723b752f910b73f703ed1df63b66fb524dac1a921930d",
"wss://wot.utxo.one/",
"root",
"c3caba20313ab8a447d9aae50f45ef505a8454c5748f60e0ce013541f80e20f2"
]
],
"content": "Interesting. The vulnerability is a TOCTOU one that I have a paper about:\n\nhttps://www.researchgate.net/publication/2462817_Checking_for_Race_Conditions_in_File_Accesses?_tp=eyJjb250ZXh0Ijp7InBhZ2UiOiJzY2llbnRpZmljQ29udHJpYnV0aW9ucyIsInByZXZpb3VzUGFnZSI6bnVsbH19\n\nBut it is in a function that gossip isn't triggering . Gossip uses tempdir 0.3.7 which relies on an old remove_dir_all crate with the bug. But we don't call any remove directory functionality in tempdir, and tempdir hasn't been updated. So we are safe and can't even update right now if we wanted to.\n",
"sig": "be70e3d2b090b96841eb05602481492097d1f6a60bf8ca5490d7f343d6c17fa1bc285b30a0be9b16585e64293d2ec53283bfb0dc862397622012470493f9689a"
}