Conversation
Notices
-
r (r@freesoftwareextremist.com)'s status on Monday, 18-Sep-2023 16:18:42 JST 
r
Patch for the vulnerability in bloat that allows a malicious upstream server (Pleroma/Mastadon) to return crafted JSON data in the response of an API called by bloat to make it go out of memory and cause Denial of Service.
The attack could be performed by a malicious user by connecting to a malicious server. Technically, it doesn't have to be a Mastodon compatible server, any HTTP server that'd respond to the HTTP paths requested by bloat could work.
bloat instances running in the single instance mode are not affected assuming the specified instance doesn't serve the malicious response.
The patch applies a limit on the size of the response returned by the server, currently set to 8MiB.
https://git.freesoftwareextremist.com/bloat/commit/?id=ad38855261dca802439922f71408e2b08e7c10ea- and † top dog :pedomustdie: like this.
-
r (r@freesoftwareextremist.com)'s status on Monday, 18-Sep-2023 16:18:41 JST
r
Tagging people who I think run bloat and were asking for clarification in the announcement thread.
@p @w @Moon @mint @kirby @dcc and † top dog :pedomustdie: like this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 16:22:32 JST 
@r @dcc @w @p @kirby @Moon Will patch it once I get home, thanks. † top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Monday, 18-Sep-2023 16:23:36 JST 
† top dog :pedomustdie:
@mint @w @r @p @kirby @Moon Nice -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 16:25:10 JST
@r @Moon @dcc @kirby @p @w >bloat instances running in the single instance mode are not affected
I think they might be. If you authorize to an instance A, then change bloat's config to be in single instance mode for instance B and restart it, auth cookie for instance A on said bloat server will keep working. Crafting your own cookie pointing to malicious server with arbitrary oauth tokens should be possible as well. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 16:27:51 JST
@kirby @dcc @w @r @p @Moon It's just base64 encoded json with instance address and auth token for it. † top dog :pedomustdie: likes this. -
this ad CAN be blocked, bitch (kirby@lab.nyanide.com)'s status on Monday, 18-Sep-2023 16:27:52 JST 
this ad CAN be blocked, bitch
@mint @dcc @w @r @p @Moon >crafting your own malicious cookie...
A bit concerning -
r (r@freesoftwareextremist.com)'s status on Monday, 18-Sep-2023 16:33:11 JST
r
@mint @dcc @w @p @kirby @Moon Oh right, need to fix that too. and † top dog :pedomustdie: like this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 16:34:14 JST
@kirby @dcc @w @r @p @Moon I guess. It's nowhere near as severe as he was trying to present it. -
this ad CAN be blocked, bitch (kirby@lab.nyanide.com)'s status on Monday, 18-Sep-2023 16:34:15 JST
this ad CAN be blocked, bitch
@mint @dcc @w @r @p @Moon huh. Is this what w was panicking about? -
this ad CAN be blocked, bitch (kirby@lab.nyanide.com)'s status on Monday, 18-Sep-2023 16:37:59 JST
this ad CAN be blocked, bitch
@mint @dcc @w @r @p @Moon i swear if he presents this as the critical security issue that caused some panic words will not be able to describe how upset I will be and † top dog :pedomustdie: like this. -
tsoifan1997 (sysrq@lab.nyanide.com)'s status on Monday, 18-Sep-2023 16:44:51 JST 
tsoifan1997
@mint @dcc @w @r @p @kirby @Moon
shocker† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Monday, 18-Sep-2023 16:45:15 JST
† top dog :pedomustdie:
@sysrq @w @r @p @kirby @mint @Moon They will pet your cat from you're computer screen.... likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Monday, 18-Sep-2023 16:46:33 JST
† top dog :pedomustdie:
@sysrq @w @r @p @kirby @mint @Moon https://annihilation.social/notice/AZsQsF9K7tHaOvl2p6 -
tsoifan1997 (sysrq@lab.nyanide.com)'s status on Monday, 18-Sep-2023 16:46:34 JST
tsoifan1997
@dcc @w @r @p @kirby @mint @Moon
:irvingwat: incomprehensible -
r (r@freesoftwareextremist.com)'s status on Monday, 18-Sep-2023 19:21:09 JST
r
@roboneko @dcc @w @p @kirby @mint @Moon It used to work as intended until bloat started storing sessions in the cookies. I fixed it just now. I don't want to sign the cookies with something like JWT.
https://git.freesoftwareextremist.com/bloat/commit/?id=e50f12b6158ffae6b0b59f2902798ae86d263b5d and † top dog :pedomustdie: like this. -
verified neko :verified::verified::verified::makemeneko: (roboneko@bae.st)'s status on Monday, 18-Sep-2023 19:21:10 JST 
verified neko :verified::verified::verified::makemeneko:
@mint @dcc @w @r @p @kirby @Moon so single instance mode is a lie? :02_laugh: repeated this. -
pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Monday, 18-Sep-2023 20:14:42 JST 
pomstan
@mint @dcc @w @r @p @kirby @Moon yeah it’s a fucking nothingburger. some software can leak memory even on legitimate workloads so if you have no system-wide way of guarding against that, just don’t host anything
likes this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 20:22:19 JST
@r @Moon @dcc @kirby @p @w Had to resolve a bunch of merge conflicts since upstream made some changes to templates as well. Apparently, go's template engine takes precedence to .orig files made by git merge which confused me for a while before I cleaned them up as usual. Should be up on https://gitgud.io/mintplg/bloat, agency's/salon's bloat will follow shortly.
Screenshot_20230918_141335.png† top dog :pedomustdie: likes this. -
laurel (laurel@freespeechextremist.com)'s status on Monday, 18-Sep-2023 21:11:34 JST 
laurel
@mint @kirby @Moon @dcc @p @r @w
Doesn't it apply to anyone using the Go http package without a timeout and/or a size check of the response?
Which I think a lot of people are doing. likes this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 21:13:56 JST
@laurel @dcc @w @r @p @kirby @Moon Possibly, I haven't dipped into its ecosystem. -
laurel (laurel@freespeechextremist.com)'s status on Monday, 18-Sep-2023 21:22:33 JST
laurel
@mint @Moon @dcc @kirby @p @r @w
Just to clarify. What I meant is that it is very close to intended behavior of the http package.
Probably the original "security researcher" found someone concern trolling on git about it and thought he'd milk it here. likes this. -
pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Monday, 18-Sep-2023 21:25:37 JST
pomstan
@laurel @dcc @w @r @p @kirby @mint @Moon yeah http defaults are infamously bad: https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/
likes this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Tuesday, 19-Sep-2023 00:19:35 JST 
pistolero :thispersondoesnotexist:
@r @Moon @dcc @kirby @mint @w Not super critical, but go.mod says 1.13, and it doesn't build with 1.17. http.MaxBytesError was added in 1.19 so I tweaked go.mod to do it that way.
tweak.patch likes this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Tuesday, 19-Sep-2023 00:19:36 JST
pistolero :thispersondoesnotexist:
@r @Moon @dcc @kirby @mint @w :bigbosssalute: -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Tuesday, 19-Sep-2023 00:20:34 JST
pistolero :thispersondoesnotexist:
@mint @Moon @dcc @kirby @r @w Best screenshot. likes this. -
r (r@freesoftwareextremist.com)'s status on Tuesday, 19-Sep-2023 00:53:41 JST
r
@p @dcc @w @kirby @mint @Moon And the README mentions 1.11 as minimum required version. I remember changing a few things to keep it compatible with 1.11, but that was quite a while ago. The reason for sticking to that version was because then current Debian stable had it. Will see if it's worth sticking to that by refactoring the code a bit or just change it to a newer version. likes this.
All 076萌SNS content and data are available under the 