Jim Spath3h ago

Back to the grindstone, this had small nuts and bolts, and is rusty below. But, boy howdy, those are some #ActiveIngredients if I ever saw a list of pre-FDA fol-de-rol...
#PSA don't actually ingest anything like this, kids.

#PPS not reading the directions about applying to bottom.

@frueheneuzeit5h ago
#psa nach Sommerzeit ist es jetzt schon 0:19.
trip11h ago

I'll take a guess on what the telegram exploit is. Mostly because people seem to be concerned and there is little information and the recommendation appears to be "Disable automatic media download" but I am worried about the mixture of severity and lack of information and at least thought to speculate based on information available and what I can see.

--

Now, please do keep in mind that I have spent like 15mins on this and have hardly done anything serious but hearing "Please do this thing to prevent an exploit but I don't have details" isn't exactly ideal. I'm also jumping to some conclusions as what is exploitable

--

1. Got notified regarding to this CVE via a friend.

* CVE for Telegram - https://bsky.app/profile/redteef.bsky.social/post/3mi3ki5tip227

The main advice appears to be disable automatic media download - My assumption is that some library related to processing media appears to have some issue.

2. pmap of my running telegram process - Saw libjxl and wondered what state it was in (Refer to media attached)

3. Looked up issues related to libjxl on github - https://github.com/libjxl/libjxl/issues/4539
and https://github.com/libjxl/libjxl/issues/4539
"ibjxl JPEG XL decoder crash due to uninitialized pointer access in malformed images" - One of the screenshots output "Illegal Instruction (Core Dump)" which is sinister, this can include the CPU attempting to execute an instruction it doesn't understand and if that segment can be manipulated, this can potentially lead to arbitrary code execution.

Which then also lead me to this: https://github.com/advisories/GHSA-76gx-97cq-65f5

---

Disclaimer: I can't say it is even about libjxl or related to the CVE mentioned in 1 but I can at least see an attack like so: (which gives weight to disabling media for telegram).

1. Attacker crafts a suitable image to manipulate the decoder, image contains data that can either manipulate the pointer and/or data that the segment it could point to (for reference, just enough data to get a shell or establish a connection to something else is enough)

2. Attacker sends the image on a platform where the user using this library can then decode it.

3. The image that is decoded will then be able to execute the payload - Attacker could gain control via this method.

---

While this may seem silly but please also do not hound or abuse the devs at libjxl. Last thing I want are people who are trying to do their best to fix the issues I have listed and do not control what telegram includes in their builds.

#telegram #cve #attachments #media #libjxl #psa

John Burns1d ago

In modern society - we really should not have people cooking with oil - that do not know two things...

1) water spreads the fire
2) how to put out an oil fire

Put a top on the pan, use a fire blanket, or use a fire extinguisher (messy)

--
Do not film your cooking lesson and look back at the camera while the fire is going and say - what do I do... or Help...

KNOW BEFORE YOU TURN THE STOVE ON!!!

#PSA
#YOUTUBE
#PARENTS
#K12Education

🤯

Nova1d ago
(🤍 Nova) PSA to Fedi admins: If you're going to have an announcements account that is not monitored for DMs, please consider linking one or more personal accounts of your instance's moderation team!

My system occasionally checks on instances for activity from their admins (simply because we're on fedi and are neurodivergent ), and there have been times where we found instances with announcements accounts or personal accounts of instance staff that show no signs of activity (last post is more than a year old), which is bad if an instance is open-registration. We have seen open-registration instances with no visible activity from staff become infested with spam bots as well as CSAM, so we personally put possibly-abandoned instances up for review by the rest of enby.life staff, especially if the instance is a public instance (more than 50 active users per month).

#FediAdmin #PSA #Moderation
Airports Bot1d ago

Pisa International Airport - Pisa (PI), Italy

https://en.wikipedia.org/wiki/Pisa_International_Airport
https://www.openstreetmap.org/#map=13/43.683899/10.392700

#LIRP #PSA #Pisa #Italy #airport #aviation #avgeeks #GIS

DeskDay1d ago
Your end-users shouldn't have to figure out how to ask for help. They shouldn't need to know which tool to use, which portal to open, or which email to send.

They should just... get support. 😄

Microsoft Teams. Mobile. Web. Desktop. Email.
Your end-users pick the channel. You handle the rest from your service desk. 💜

Multi-channel end-user support built for MSPs and IT teams. Explore more at https://deskday.com/it-connect/

Ticketing #psaformsp #PSA #MSP #ManagedIT #ITManagedServices #itticketing
Łukasz Horodecki1d ago

RE: https://mastodon.com.pl/@LukaszHorodecki/116265836040857348

Właśnie wróciłem z podsumowania badań. Dość sprytnie jest ten program zrobiony: najpierw w Internetowym Koncie Pacjenta wypełnia się formularz (tryb życia, dieta, choroby w rodzinie itp.) i na jego podstawie dostaje skierowanie na badania, a wyniki odbiera się od lekarza, który po kolei je omawia i wyjaśnia, co znaczą, skąd się biorą i co można zrobić, by je uregulować.

Doktór raczył skomplementować mój poziom aktywności, dietę oraz utratę wagi i wszystkie wyniki wypadły mi w normie, z wyjątkiem podwyższonego poziomu glukozy, więc dostałem skierowanie na test obciążeniowy, a ze względu na wiek także badanie antygenu sterczowego.

#badanie #MojeZdrowie #zdrowie #glukoza #wiek #psa

Dave á Jus2d ago
Think and teach about, and plan for, post-petrocapitalism, and how the Public's #healthcare, #education, #labor / #workers rights, #transportation, affordable #housing, access to food & #water — and the funds we the public have worked & saved & invested for, and the land resources that produce their raw materials — all #publicGoods, will be preserved and protected. All this domestic and global chaos, whiteChristian nationalism, & imposed human insecurity is about plunder and concentrating the power to prolong that plunder. It is all being cleared off the table, right now. Are guillotines necessary? Maybe not. #psa #preservation #mutualAid #resilience #rescindThePatriotAct #overturnCitizens #overturnMccutcheon
Hard X-ray Male 🇺🇸🇺🇦🐊🦉🌊💙2d ago
The whole Power Sound Audio movement is sunk cost fallacy, groupthink, and placebo effect #PSA #hometheater