Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Conquest is easy. Control is not. -- Kirk, "Mirror, Mirror", stardate unknown


computers / rocksolid.shared.security / Python fu yeah

SubjectAuthor
* Python fu yeahAnonymous
+- NoneAnonymous
+- Python fu yeahAnonymous
`- NoneAnonymous

1
Python fu yeah

<opsec.779.3y1fsy@anon.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=204&group=rocksolid.shared.security#204

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: Python fu yeah
Date: Thu, 18 Feb 2021 22:10:42 -0800
Organization: def2
Message-ID: <opsec.779.3y1fsy@anon.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=288bcf7ef987c78e2e094201bcef1b37091268ce
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="16851"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Fri, 19 Feb 2021 06:10 UTC
Attachments: python.jpg (image/jpeg)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

Description
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Really ? What can I use Python for, if it cannot parse numbers ?

Attachments: python.jpg 
None

<opsec.780.4deku4@anon.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=205&group=rocksolid.shared.security#205

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: None
Date: Thu, 18 Feb 2021 22:38:46 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <opsec.780.4deku4@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="26536"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Fri, 19 Feb 2021 06:38 UTC

>cannot parse numbers
>floating-point
its specifically floating-point
unless you have something using a math library like numpy or floating point numbers and its parsing it somehow externally (vary unlikely) you are probably fine for this specific cve
you dont use wsgi right

--
Posted on def2

Re: Python fu yeah

<opsec.781.3hzr04@anon.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=206&group=rocksolid.shared.security#206

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!.POSTED.127.117.190.215!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: Re: Python fu yeah
Date: Fri, 19 Feb 2021 03:52:38 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <opsec.781.3hzr04@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def.i2p"; posting-host="127.117.190.215";
logging-data="28285"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Fri, 19 Feb 2021 11:52 UTC

>>f5727b40ce9136fcf4
>you are probably fine
now that gives me a good, warm, fuzzy kind of feeling.

>you dont use wsgi right
op does not use python at all, kind of biased here.

--
Posted on def2

None

<opsec.783.1svmmj@anon.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=208&group=rocksolid.shared.security#208

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: None
Date: Fri, 19 Feb 2021 09:43:52 -0800
Organization: def2
Message-ID: <opsec.783.1svmmj@anon.com>
References: <opsec.779.3y1fsy@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="17703"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Fri, 19 Feb 2021 17:43 UTC

>>30d96af8c6049e1c47
>now that gives me a good, warm, fuzzy kind of feeling.
dont forget i said specific cve theres also blender which can be networked and does alot of floating-point calculations
you arent using blender for classical remote framebuffers on an open network are you im not even sure if blender supports that anymore
ive seen way worse than python and prefer to use pypy* if at all currently trashing my python oses anyway only a few utilities in python i really cant replace which will be easy to isolate if only they could run with a python interpreter and base libraries that are under 10megabytes
>op does not use python at all, kind of biased here.
i have my doubts that op controls his dependencies most graphical gnuware will pull in rust now for svg its pretty funny

--
Posted on def2

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor