Post B09Cpyd9lV7tAXYYIS by jrdepriest@infosec.exchange
(DIR) More posts by jrdepriest@infosec.exchange
(DIR) Post #B093fNTg91pTSSzhgG by sjvn@mastodon.social
2025-11-11T18:23:26Z
1 likes, 1 repeats
FFmpeg to Google Fund Us or Stop Sending Bugs: https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/ by @sjvn The clash between small volunteer-driven, open-source projects, such as FFmpeg & the billion-dollar companies built on their work, which demand rapid security patches, is heating up.
(DIR) Post #B093fP4wBzE8QJQyOW by wolf480pl@mstdn.io
2025-11-11T19:06:29Z
1 likes, 0 repeats
@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos, right?
(DIR) Post #B094U8ti73Xp0WNQfY by lanodan@queer.hacktivis.me
2025-11-11T19:15:35.174850Z
1 likes, 0 repeats
@wolf480pl @sjvn I'd guess there's a lot of CVE-obsessed corpos, so it amplifies the spam about useless CVEs.After all there's often the box ticking thing of "Zero known CVEs with this version number", which is bullshit but that's corporate for you.
(DIR) Post #B094ne5YMyNtFMDSTo by wolf480pl@mstdn.io
2025-11-11T19:19:12Z
1 likes, 0 repeats
@lanodan @sjvn Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.Then send all the angry corpos a link to that issue, and disable notifications.
(DIR) Post #B0951tqCbDMW9jpgHY by wolf480pl@mstdn.io
2025-11-11T19:21:47Z
0 likes, 0 repeats
@lanodan @sjvn I see three possible outcomes:- the corpos eventually make a patch- the corpos fork ffmpeg- the corpos remove ffmpeg from all of their productsI don't think any of those would be tragic, though getting there might be painful :/
(DIR) Post #B095IYy3SWQyLES2RE by wolf480pl@mstdn.io
2025-11-11T19:24:48Z
0 likes, 0 repeats
@lanodan @sjvn Oh, also I don't blame corpos for having a "zero unfixed CVEs" policy for the simple reason that CVE metadata is not sufficient to effectively filter out things that don't affect you.
(DIR) Post #B095Ty7OI2zNWvFye8 by lanodan@queer.hacktivis.me
2025-11-11T19:26:45.060332Z
1 likes, 0 repeats
@wolf480pl @sjvn Well, it means they have to read and understand what's in the CVE, which can sometimes be hard but that's also why support companies (RedHat, Freexian, …) exists.
(DIR) Post #B095ZqULZPdNbWnRxo by phnt@fluffytail.org
2025-11-11T19:27:54.149110Z
3 likes, 2 repeats
@lanodan @sjvn @wolf480pl I've worked in _one_ of these "zero CVEs in production" companies. These decisions are usually made by managers that F5 Bleeping Computer all day and eat infosec snakeoil for breakfast. Usually accompanied by some completely dumb vuln scanner that only checks versions. Would not recommend anybody.
(DIR) Post #B095be52frwPhTop4S by wolf480pl@mstdn.io
2025-11-11T19:28:14Z
0 likes, 0 repeats
@lanodan @sjvn is there one for pypi?
(DIR) Post #B095mPjsKrvKPH3Lou by lanodan@queer.hacktivis.me
2025-11-11T19:30:03.513086Z
0 likes, 0 repeats
@wolf480pl @sjvn Pypi specifically is kind of weird (you'd want to cover the whole stack) but there probably is, I barely do Python.
(DIR) Post #B095p8dKOG6SDuI0Zs by phnt@fluffytail.org
2025-11-11T19:30:41.500537Z
1 likes, 1 repeats
@wolf480pl @lanodan @sjvn The way expat deals with this is that when GPZ or someone else sends them a vulnerability and the maintainer doesn't have time for it, he asks companies he knows use expat for help if they want to fix it with him. Which I think is a reasonable solution. Usually if a company knows that they would be affected, they'll be happy to help you in some way. The problem is that it requires already existing contacts in those companies.
(DIR) Post #B095qAoXld6PHE1rwe by wolf480pl@mstdn.io
2025-11-11T19:30:52Z
0 likes, 0 repeats
@phnt @sjvn @lanodan I suspect that might be the only way to use CVEs at all.Also, have you ever worked at a company that cared about security fixes but had a more reasonable approach to it?
(DIR) Post #B0967aJMDtsDHFkDHE by lanodan@queer.hacktivis.me
2025-11-11T19:33:55.294341Z
1 likes, 0 repeats
@phnt @sjvn @wolf480pl For expat I guess it's fine, there's isn't a ton of stuff in there so you could probably have a map of feature to corporation (same for like libxml2 and libxslt).But software like ffmpeg has a lot of niche stuff, and it doesn't have a separation of those like say gstreamer has.
(DIR) Post #B096FvkAQDVk47GQLI by wolf480pl@mstdn.io
2025-11-11T19:35:32Z
0 likes, 0 repeats
@lanodan @sjvn ok but likeAssume I haven OS that has unattended security updates.And I run a web backend written in python on that host.And it has requirements.txtAnd I create a virtualenv and venv/bin/pip install -r requirements.txt before running my backend.And I want someone to go through requirements.txt, and find all libs that have vulns, and go through my code, see how I use those libs, and tell me which I need to update.
(DIR) Post #B096SFSsvNdshl3PTU by wolf480pl@mstdn.io
2025-11-11T19:37:44Z
0 likes, 0 repeats
@lanodan (and also you can assume the database is managed by someone else (AWS) and the web frontend is untrusted anyway)
(DIR) Post #B096UkyoiuHd1gBbGa by lanodan@queer.hacktivis.me
2025-11-11T19:38:06.444210Z
0 likes, 0 repeats
@wolf480pl @sjvn Except quite a lot of python projects (even more common since Rust rewrite) have code and dependencies which aren't just purely Python.Python isn't an OS, it's just one language in a big stack.
(DIR) Post #B096Zk97Fd7jt6Ngie by wolf480pl@mstdn.io
2025-11-11T19:39:06Z
0 likes, 0 repeats
@lanodan @sjvn right, but those are usually compiled by pip still?Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?
(DIR) Post #B0973n2p2U3FZ4lT3g by phnt@fluffytail.org
2025-11-11T19:44:32.707206Z
1 likes, 1 repeats
@wolf480pl @sjvn @lanodan The "proper" way to use CVEs is just a label for a specific vulnerability. That's all. Then you need to asses them in some way if you are even affected by the vulnerability, and if yes how much and how to deal with it. A scanner can help you with that, but the problem with those, is that sometimes a vulnerability can be triggered only in some configuration and some of them don't deal with these CVEs ideally. They should essentially be only used for triage.A perfect example of how not to ever use CVEs is the Linux kernel. On one hand, the vast majority of them are actual, very small, vulnerabilities, but flooding the list with hundreds of them makes things only worse, which is the point. CVEs are kinda broken, but this is not the way to show how broken they are. And going through a list of 50 CVEs in a single release and figuring out if you should even care is not fun. Thankfully Red Hat for example filters the mostly non-problematic ones out and doesn't even list them. If that is a good approach is also debatable.>Also, have you ever worked at a company that cared about security fixes but had a more reasonable approach to it?Most of them are like that and my current employer is also like that. I would say that there are a lot more that simply don't care than those that care too much (doesn't help that IT departments are usually under-staffed). The "zero CVEs in production" companies are kinda rare, but they do exist.
(DIR) Post #B0974OssLufqvEP3pY by lanodan@queer.hacktivis.me
2025-11-11T19:44:33.270221Z
0 likes, 0 repeats
@wolf480pl @sjvn build-essentials is for C code, while Rust is pretty much exclusively through cargo and not part of the distro libraries.
(DIR) Post #B097F0yHbFyHwXzfc0 by wolf480pl@mstdn.io
2025-11-11T19:46:34Z
0 likes, 0 repeats
@lanodando I have to install it manually, or does pip call cargo under the hood?
(DIR) Post #B097FLHo4NTKwtHXou by phnt@fluffytail.org
2025-11-11T19:46:37.798105Z
2 likes, 1 repeats
@wolf480pl @lanodan @sjvn >Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?There's a fun catch with that. 99% of the time you just download a "wheel" from PyPi, which is pre-compiled blob with everything and building the stuff yourself is usually non-trivial if even possible.
(DIR) Post #B097XKD4oHCap6e0kS by wolf480pl@mstdn.io
2025-11-11T19:49:52Z
0 likes, 0 repeats
@phntthat sounds like one of the invariants of pypi has been broken/abandoned...@sjvn @lanodan
(DIR) Post #B097ahgNzlpaUWxrwu by lanodan@queer.hacktivis.me
2025-11-11T19:50:22.895077Z
1 likes, 0 repeats
@phnt @sjvn @wolf480pl At least that comes from PyPI, there's also some horrors which downloads blobs in the setup.py or during runtime.
(DIR) Post #B097imZdh57Tygf3UO by wolf480pl@mstdn.io
2025-11-11T19:51:56Z
0 likes, 0 repeats
@lanodan @phnt @sjvn
(DIR) Post #B097nsQhLjjHaSuNQO by wolf480pl@mstdn.io
2025-11-11T19:52:52Z
0 likes, 0 repeats
@lanodan @phnt @sjvn so pypi has always allowed uploading binary wheels without corresponding source package?sigh...
(DIR) Post #B097rO9XrLXYqOYkxE by phnt@fluffytail.org
2025-11-11T19:53:30.401209Z
1 likes, 1 repeats
@lanodan @sjvn @wolf480pl The worst I've seen so far is linux-wallpaperengine downloading pre-compiled chromium cef with CMake. Or maybe Bazel downloading some random Python version into the build tree, because it's a dependency while Python is already installed on the system.First is somewhat excusable, second absolutely is not.
(DIR) Post #B0983lCE0kQDmoiE7M by wolf480pl@mstdn.io
2025-11-11T19:55:43Z
0 likes, 0 repeats
@lanodan @phnt @sjvn in any case:which binary wheels get installed, and which blobs get downloaded, is still determined by requirements.txt, right?So someone could recursively explore all of that pile?
(DIR) Post #B0985FC3y0xP6xLOdc by lanodan@queer.hacktivis.me
2025-11-11T19:55:54.408453Z
1 likes, 0 repeats
@phnt @sjvn @wolf480pl Heh, reminds me that Firefox quite some years ago used to ship a copy of a slightly outdated Python 2.x, and if you'd remove the executables the build would fail.https://hacktivis.me/notes/bootstrapping#firefox_python2
(DIR) Post #B098nEHKjKVb0zmbxI by lanodan@queer.hacktivis.me
2025-11-11T20:03:51.351659Z
0 likes, 0 repeats
@wolf480pl @phnt @sjvn Nah, requirements.txt is way too loose as it's just for dependency requirements, and which blobs will be downloaded is by definition system-dependent.You'd want either a lockfile (hell to maintain, pretty much nobody really uses them for security purposes, after all you'd need to audit binaries if you'd do) or a curated repository like a distro.
(DIR) Post #B099ZZRvJwkEZimt3A by jrdepriest@infosec.exchange
2025-11-11T20:11:05Z
1 likes, 0 repeats
@phnt @sjvn @wolf480pl @lanodan working in threat management at a mid-sized company and prioritizing vulnerabilities is a full time job focusing on actual risk.CVEs are labels that make it easier to talk about specific vulnerabilities, nothing more.A "Zero CVE Policy" doesn't even make sense and is literally impossible without huge caveats and exceptions.Also, CVEs don't exist for misconfigurations. Which is a bigger risk? Default password on your external firewall or a CVE with a CVSS score of 10.0 on a dev server with no Internet access?AI Slop CVEs are a grift to "get those numbers up".
(DIR) Post #B099ZaXdGCuBxiSxaS by wolf480pl@mstdn.io
2025-11-11T20:12:39Z
0 likes, 0 repeats
@jrdepriest @phnt @sjvn @lanodan Is there any hope for a small company with a handful of developers and 1 or 2 sysadmins to do anything about vulnerabilities?
(DIR) Post #B09A1irnttILtJJh9k by wolf480pl@mstdn.io
2025-11-11T20:17:46Z
1 likes, 0 repeats
@lanodan btw. I read the rest of that blogpost, kinda couldn't believe the Java situation, so I looked it up and found this:https://www.chainguard.dev/unchained/fully-bootstrapping-java-from-source-in-wolfiand it indeed looks like a herculean effort
(DIR) Post #B09AXRDl2j1EQihzKC by lanodan@queer.hacktivis.me
2025-11-11T20:23:24.755829Z
0 likes, 0 repeats
@wolf480pl Yeah, at least it's one that we know works.For other languages… it's basically impossible until someone builds something like an interpreter/compiler that allows to build a decently recent version, and then keeps it maintained.Like we're very lucky that ecj exists for java, that mrustc exists for bootstrapping rustc, somewhat lucky for dotGNU for mono (somewhat because it's been long abandoned), …
(DIR) Post #B09AtLiuACpjkZj2PY by jrdepriest@infosec.exchange
2025-11-11T20:27:27Z
2 likes, 0 repeats
@wolf480pl @phnt @sjvn @lanodan I think the public, in general, puts too much pressure on small, mostly volunteer teams.On the one hand, these projects are vital lynchpins holding up trillion dollar industries.On the other, they apparently aren't worth a contact or even a donation by those using them.I imagine corporations would spend FTEs building complicated workarounds rather than fund an open source protect. They think, "someone else will step in and fix it, eventually."What can the small projects do? I don't know. So much of our infrastructure is designed around taking away their power while magnifying their responsibility. If it were me, I'd probably work myself to death trying to be everything for everybody. Ideally, they'd be able to go on strike. No fixes the leeches step up with people or funds. But that's taking your life into your own hands. That could end badly. I don't have a solution. The most important thing is to prioritize but with AI generated CVEs, I'm not sure the flood is manageable.My advice is that your mental health should come first. Always. Every day. Take care of yourself.
(DIR) Post #B09BYGzceieAx63iC0 by phnt@fluffytail.org
2025-11-11T20:34:52.294597Z
0 likes, 1 repeats
@jrdepriest @sjvn @wolf480pl @lanodan >A "Zero CVE Policy" doesn't even make sense and is literally impossible without huge caveats and exceptions.No joke, the way it works is you apply every update some scanner tells you to without ever verifying if you are even affected. Is this option required for the vulnerability to work even compiled in? Don't care, update.>Default password on your external firewallReminds of me lovely MikroTik and their totally not jank network firmware flashing utility (forgot the name) that by default added no password to the admin account. Flash a _RouterOS_ via the network while connected and accessible from the Internet = get infected withing seconds. At least they started to use a default password semi-recently I think.
(DIR) Post #B09BjreCiPjPosZG88 by wolf480pl@mstdn.io
2025-11-11T20:36:57Z
0 likes, 0 repeats
@jrdepriest @phnt @sjvn @lanodan I guess I went on a tangent without making it clear:We all know the situation for small open-source projects with large corporate userbase is rough.But at least it's not the FOSS projects that'll get pwned if they miss something - the large corpos will.Then we started talking about how companies manage vulns, and whether they're doing it wrong.1/
(DIR) Post #B09BqGhSU3E1Fw8xou by wolf480pl@mstdn.io
2025-11-11T20:38:07Z
0 likes, 0 repeats
@jrdepriest @phnt @sjvn @lanodan So my question was about how a small-to-medium company (eg. one whose product is a website) that can't dedicate a whole person to patch management could approach this problem without resorting to "get CVE scanner, filter by severity == critical, cry in a corner because there's still too much stuff".
(DIR) Post #B09CBYOzrWmKEverJ2 by ignaloidas@not.acu.lt
2025-11-11T20:41:58.156Z
0 likes, 0 repeats
@wolf480pl@mstdn.io @jrdepriest@infosec.exchange @phnt@fluffytail.org @sjvn@mastodon.social @lanodan@queer.hacktivis.me I think a somewhat realistic thing that could happen is companies selling "FOSS support" that share this load over a whole bunch of companies.
(DIR) Post #B09Cpyd9lV7tAXYYIS by jrdepriest@infosec.exchange
2025-11-11T20:49:15Z
0 likes, 0 repeats
@wolf480pl @phnt @sjvn @lanodan You have to really know your environment to know what mitigations and compensating controls you have. You need to know where your sensitive data is. You need to understand how you manage access and identity.Even a company with just a single website has to think about those things.My honest advice for any small company with a cyber presence would be to ask around and contract with a reputable firm that could help you create customized policies and procedures and then pay to be pen tested and audited against them at least once a year. If it's written down and agreed upon, you've already saved so much time trying to figure it out in the fly and prevented a great deal of finger pointing and blame. That and keep accurate network diagrams.
(DIR) Post #B09D87se74yJ4MSJ84 by wolf480pl@mstdn.io
2025-11-11T20:52:33Z
1 likes, 0 repeats
@lanodan @phnt @jrdepriest @sjvn I wish I could go to the devs and tell them "No pypi, only use dependencies packaged in Debian. If you want a library that's not packaged in Debian, open a ticket with the SRE team, we'll package it. Rate limit: one library per month."Though I guess even that would be unsustainable.
(DIR) Post #B09F2kPY8yuSk0PQPI by wolf480pl@mstdn.io
2025-11-11T21:13:59Z
0 likes, 0 repeats
@lanodan @phnt @jrdepriest @sjvn I'm afraid there are whole fields whose python libs are not packaged by Debian... though to know for sure i should go through $dayjob's requirements.txt and see how much of that is packaged...
(DIR) Post #B09FMve05an7N5n876 by sjvn@mastodon.social
2025-11-11T21:17:36Z
0 likes, 0 repeats
@wolf480pl @jrdepriest @phnt@fluffytail.org @lanodanSure, if they have the time and expertise to work on them.
(DIR) Post #B09FPpOdm5SQrZzPA8 by sjvn@mastodon.social
2025-11-11T21:15:48Z
1 likes, 0 repeats
@lanodan @phnt@fluffytail.org @jrdepriest @wolf480pl There's been lots of AI garbage CVEs. I wrote about it a while back. https://www.zdnet.com/article/how-fake-security-reports-are-swamping-open-source-projects-thanks-to-ai/ Check out @bagder cURL's creator and maintainer, and his endless battles against AI security spam.
(DIR) Post #B09FqF1D8PzFrFcp3Q by Varpie@peculiar.florist
2025-11-11T21:21:30.088Z
0 likes, 0 repeats
@jrdepriest @phnt @sjvn @wolf480pl @lanodan A score of 10.0 wouldn't be possible on a dev server with no internet access, since it would have a low exploitability.
(DIR) Post #B09PTUJd5rhiBM1tB2 by wolf480pl@mstdn.io
2025-11-11T23:10:49Z
0 likes, 0 repeats
@pixxIt's not about good faith, it's about redirecting them to a place where you can't hear them, so that you don't get overwhelmed with emails.@lanodan @sjvn
(DIR) Post #B09RhLO5HikGSEqdF2 by jadapstevens@mastodon.social
2025-11-11T23:35:44Z
0 likes, 0 repeats
@wolf480pl Lmao classic corporate dodge: “We value your input, here’s a form that goes straight to /dev/null.” Not about silencing dissent, nah—it’s mental health for the inbox. Can’t be overwhelmed if you yeet the noise into a black hole labeled “community feedback portal.” “Escalate to tier-2 support” = “touch grass, we’re done here.” Same energy as muting group chats but with extra HR steps. They’re not ignoring you, bro… they’re curating their sanity.
(DIR) Post #B09U01aLKigoRucKTw by BartV@mastodon.social
2025-11-11T20:40:13Z
1 likes, 0 repeats
@sjvn add more bugs that specifically break Google’s systems and nothing else
(DIR) Post #B09q8KPXQBsO90vaca by Varpie@peculiar.florist
2025-11-12T04:07:31.752Z
0 likes, 0 repeats
@lanodan @sjvn @wolf480pl @jrdepriest @phnt Let me rephrase: it wouldn't be possible to exploit a 10.0 CVE vulnerability on a dev server without internet access, because a part of the CVSS score is the attack vector, and for a score of 10.0 you'd need an attack that can be easily made over a network, so the offline dev server can't be impacted. So that example is irrelevant.
(DIR) Post #B0A6sm0sjA02L4Z0vg by ki@chaos.social
2025-11-12T07:17:11Z
0 likes, 0 repeats
@wolf480pl @lanodan @sjvn the fourth possible outcome:- the corpos "recreate" ffmpeg as a closed source alternative using LLMs
(DIR) Post #B0AAz8ktU93yQVNR4a by wolf480pl@mstdn.io
2025-11-12T08:03:13Z
0 likes, 0 repeats
@kiffmpeg is not AGPL, they can always make a private fork and not tell anyone, no need to wash i through LLMs@lanodan @sjvn
(DIR) Post #B0ACXtffeyNzjW4TIm by ki@chaos.social
2025-11-12T08:20:41Z
0 likes, 0 repeats
@wolf480pl there's never a need for LLMs, but corpos love them
(DIR) Post #B0AkHM5M9yZpNRMx2u by sjvn@mastodon.social
2025-11-12T14:38:39Z
0 likes, 0 repeats
@wolf480pl @ki @lanodan FFmpeg would be very hard to fork for one simple reason: It's largely written in assembly language.
(DIR) Post #B0BaL6PFakIBWXmZfs by tomjennings@tldr.nettime.org
2025-11-13T00:22:02Z
0 likes, 0 repeats
@sjvn Unbelievable, how shitty these corps treat you all.