kidney

@[email protected]
7 Followers
90 Following
193 Posts
kidneyJun 20, 2024
daniel:// stenberg://Jun 20, 2024

Inside 22,734 Steam games

https://daniel.haxx.se/blog/2024/06/20/inside-22734-steam-games/

#curl

Inside 22,734 Steam games | daniel.haxx.se

kidneyApr 26, 2024
Kenn WhiteApr 18, 2024

Incredible research at BlackHat Asia today by Tong Liu and team from the Institute of Information Engineering, Chinese Academy of Sciences (在iie.ac.cn 的电子邮件经过验证)

A dozen+ RCEs on popular LLM framework libraries like LangChain and LlamaIndex - used in lots of chat-assisted apps including GitHub. These guys got a reverse shell in two prompts, and even managed to exploit SetUID for full root on the underlying VM!

kidneyApr 7, 2024
LiamApr 7, 2024

If you give money to a #FOSS project #OpenSource, unless it was some special signed agreement, you don’t get to tell them how they use it. It’s now their money.

For some it’s a hobby, for some it is their job, but either way it’s their time and that does cost money. We all gotta eat and live and pay bills.

If you’re gonna get mad, don’t donate. If you want something specific: do it via a proper signed agreement where you’re basically contracting them. Otherwise, shhh.

kidneyApr 3, 2024
hannoMar 30, 2024
Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes
libexpat/expat/Changes at R_2_6_2 · libexpat/libexpat

:herb: Fast streaming XML parser written in C99 with >90% test coverage; moved from SourceForge to GitHub - libexpat/libexpat

GitHub
kidneyMar 30, 2024
AndresFreundTecMar 29, 2024

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

kidneyFeb 23, 2024
daniel:// stenberg://Feb 22, 2024

try "curl pkmn.li"

(via @glow )

kidneyJan 2, 2024
daniel:// stenberg://Jan 2, 2024

The I in LLM stands for intelligence

On how people now use AI to submit security reports on #curl.

https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/

The I in LLM stands for intelligence

I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can't hold back anymore. Let me show you the most significant effect of AI on curl as of today - with examples. Bug Bounty Having a bug bounty means that we offer … Continue reading The I in LLM stands for intelligence →

daniel.haxx.se
kidneyJan 2, 2024
daniel:// stenberg://Jan 2, 2024

"Buffer Overflow Vulnerability in WebSocket Handling".

A bot? An AI? Just a silly reporter? Another fine waste of #curl maintainer time.

https://hackerone.com/reports/2298307

curl disclosed on HackerOne: Buffer Overflow Vulnerability in...

## Summary: Hello security team, Hope you are doing well :) I would like to report a potential security vulnerability in the WebSocket handling code of the curl library. The issue is related to the usage of the `strcpy` function, which can lead to a buffer overflow if the length of the input is not properly checked. The vulnerable code snippet is located at [this...

HackerOne
kidneyNov 30, 2023
daniel:// stenberg://Nov 30, 2023
This tireless "fan" of mine does not give up easily, even though his comments never actually get displayed on my blog...