Post AZmpPTTr8scMkMsUL2 by babouille@piaille.fr
 (DIR) More posts by babouille@piaille.fr
 (DIR) Post #AZkb8dK9qZcrV9v8JU by shlee@aus.social
       2023-09-14T06:31:09Z
       
       2 likes, 7 repeats
       
       CVE-2023-41064 is going to require patching everything that renders WebP images. Every browser/electron apps/mobile apps like telegram/Flutter apps/etc etcWelcome to the modern software supply chain!
       
 (DIR) Post #AZkb8eEsRgzoL4SQim by shlee@aus.social
       2023-09-14T06:41:01Z
       
       0 likes, 2 repeats
       
       Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/Chrome: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.htmlEdge: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863Electron: https://github.com/electron/electron/pull/398281Password: https://releases.1password.com/mac/8.10/#1password-for-mac-8.10.15etc etc
       
 (DIR) Post #AZkcmjn5K7wL5w8cE4 by bortzmeyer@mastodon.gougere.fr
       2023-09-14T07:37:33Z
       
       0 likes, 0 repeats
       
       @shlee Patching dynamic libraries is not enough? Not every app is build statically, thanks, gods.
       
 (DIR) Post #AZkgDFCTSxbTtwLQRs by aeris@firefish.imirhil.fr
       2023-09-14T07:44:15.868Z
       
       0 likes, 0 repeats
       
       @bortzmeyer@mastodon.gougere.fr @shlee@aus.social Mostly all electron apps embed their libs…
       
 (DIR) Post #AZkgDFt0undC1sFOkq by bortzmeyer@mastodon.gougere.fr
       2023-09-14T08:15:55Z
       
       0 likes, 0 repeats
       
       @aeris @shlee I did not even know there were Electron apps on Apple stuff.
       
 (DIR) Post #AZkgPMj3JQtUiSMXzc by shlee@aus.social
       2023-09-14T08:18:06Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @aeris I'd need to look into it.. but as I understand, it's not a full blown Electron.. but definitely a subnet like a "progressive web app" style of Electron.
       
 (DIR) Post #AZkoVoJeRcY5em48Nk by lanodan@queer.hacktivis.me
       2023-09-14T09:48:33.736598Z
       
       1 likes, 3 repeats
       
       @shlee And as usual for supply chains:- distros: Fixed for everyone in less than a day, maybe a bit more when vendoring wasn't already patched out- everyone else: Going to stay vulnerable basically forever, because devs aren't integrators
       
 (DIR) Post #AZlFooOyhfUxMgQ1bs by bortzmeyer@mastodon.gougere.fr
       2023-09-14T14:54:56Z
       
       0 likes, 0 repeats
       
       @shlee Isn't it CVE-2023-4863? (CVE-2023-41064 seems Apple-only, and a different bug).
       
 (DIR) Post #AZm9W1pGAFOsvgKdSy by shlee@aus.social
       2023-09-15T01:18:58Z
       
       0 likes, 0 repeats
       
       @bortzmeyer mmmm yeah. That was a typo, but I think they have the same root cause... Too many boosts to edit now
       
 (DIR) Post #AZmpMsF4cg86ftiuRc by babouille@piaille.fr
       2023-09-15T09:07:54Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @shlee but some very edgy dudes said static linking sucks™ !
       
 (DIR) Post #AZmpPTTr8scMkMsUL2 by babouille@piaille.fr
       2023-09-15T09:08:26Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @shlee but some very edgy dudes said dynamic linking sucks™ !
       
 (DIR) Post #AZmpZkz4v35RvfNuwS by bortzmeyer@mastodon.gougere.fr
       2023-09-15T09:10:18Z
       
       0 likes, 0 repeats
       
       @babouille @shlee They are wrong, and should be recycled.