2023-04-11 16:51:47 <jvoisin> :w
2023-04-11 16:51:49 <jvoisin> meh.
2023-04-11 16:56:54 <psykose> :x!
2023-04-13 06:15:20 <ncopa> I created a couple of feature requests for secfixes tracker: https://gitlab.alpinelinux.org/ariadne/secfixes-tracker/-/issues/11
2023-04-13 18:25:33 <ncopa> i wonder if we shoudl bump curl 8.0 to stable ranches
2023-04-13 18:25:40 <ncopa> "There is no API nor ABI break in this version."
2023-04-13 18:42:21 <psykose> we generally never really updated between curls in stable
2023-04-13 18:42:46 <psykose> and i patched pretty much everything except for a few things, so i guess not everything
2023-04-13 18:42:59 <psykose> the actual cves are all meaningless
2023-04-13 18:43:03 <psykose> but aside from that, it would be fine
2023-04-13 18:43:10 <psykose> it's a pretty stable thing overall i guess
2023-04-13 18:43:25 <psykose> the issue with 8.0 is that some build scripts break on the 8 in the version
2023-04-13 18:43:26 <psykose> typica
2023-04-13 18:43:32 <psykose> typical*
2023-04-13 18:43:33 <ncopa> bah
2023-04-13 18:43:35 <psykose> very rare though
2023-04-13 18:43:49 <psykose> R is one such thing for instance, i never found anything else
2023-04-13 18:44:06 <ncopa> might be worth it
2023-04-13 18:44:10 <ncopa> i dunno
2023-04-13 18:44:14 <psykose> i can do it if you want
2023-04-13 18:44:23 <psykose> i dunno who would complain about a newer curl with fewer bugs that works better
2023-04-13 18:44:56 <ncopa> would be awesome if you could help with that!
2023-04-13 18:46:05 <psykose> sure, i'll do that
2023-04-15 08:43:40 <ikke> ncurses memory corruption bugs with fixes https://invisible-island.net/ncurses/NEWS.html#index-t20230408 (CVE-2023-29491)
2023-04-15 08:44:56 <ikke> ah, psykose already reacted in that thread from oss-security
2023-04-15 08:45:07 <psykose> 'fixes'
2023-04-15 08:46:55 <ikke> heh
2023-04-15 08:47:59 <psykose> the real issue is probably that the entire linux terminal userland is built on a library that doesn't even have a git repository
2023-04-15 08:48:51 <psykose> to even begin approaching the issue i'd have to... diff two tarballs? really?
2023-04-15 08:49:00 <ikke> fun times
2023-04-15 08:50:50 <sam_> you don't like the cheesy https://github.com/ThomasDickey/ncurses-snapshots? :D
2023-04-15 08:51:03 <sam_> there's two issues i know of
2023-04-15 08:51:10 <psykose> oh a new repo
2023-04-15 08:51:12 <sam_> 1 is that openrc uses the wrong functions for colour, which needs to be fixed on that end
2023-04-15 08:51:23 <sam_> the other is that he cocked up so vim is buggered and hopes to fix it today or something
2023-04-15 08:51:33 <psykose> tmux is also broken
2023-04-15 08:51:36 <psykose> just open it and click a few times
2023-04-15 08:51:37 <psykose> it exits
2023-04-15 08:51:41 <sam_> lol
2023-04-15 08:51:45 <sam_> ihateithateit
2023-04-15 08:51:50 <psykose> and leaves the term broken
2023-04-15 08:51:56 <psykose> idk this looks like a wontfix to me
2023-04-15 08:52:06 <psykose> ...is what i would say if people wouldn't start complaining about it in a week from now
2023-04-15 08:53:02 <sam_> yeah seriously
2023-04-15 08:53:06 <sam_> i so dont want to care about this
2023-04-15 08:53:23 <psykose> pick yer poison
2023-04-15 08:53:34 <psykose> security complainers or 'you broke my application' complainers
2023-04-15 08:54:13 <psykose> anyway ping me if you see fixes for stuff because idk where any of the discussion is
2023-04-15 08:54:27 <psykose> then once i test at least these three things work i guess it'll be fixed in one place
2023-04-15 08:54:37 <psykose> no idea what the real patch for it to apply anywhere is
2023-04-15 08:56:27 <sam_> np, will do
2023-04-15 08:57:06 <sam_> for vim it's https://bugs.gentoo.org/904263#c9 / https://bugs.gentoo.org/904277#c7
2023-04-15 08:57:10 <sam_> for openrc he says it's buggered at https://bugs.gentoo.org/904277#c4
2023-04-15 08:57:13 <sam_> but ill keep you posted either way
2023-04-15 09:00:59 <psykose> thanks thanks
2023-04-16 22:40:16 <jvoisin`> psykose: https://github.com/jvoisin/fortify-headers I've been working on this recently
2023-04-17 11:01:15 <psykose> poggers
2023-04-18 13:22:46 <omni> https://www.openwall.com/lists/oss-security/2023/04/16/3
2023-04-18 16:03:19 <psykose> https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
2023-04-20 12:08:09 <jvoisin> speaking of FORTIFY: https://blog.trailofbits.com/2023/04/20/typos-that-omit-security-features-and-how-to-test-for-them/
2023-04-20 12:12:20 <psykose> ty for checksec.rs
2023-04-20 12:12:22 <psykose> didn't know
2023-04-20 12:12:28 <psykose> the, uh, other checksec, is an abomination
2023-04-20 12:13:10 <psykose> or is this x86 only
2023-04-20 12:13:33 <psykose> ah, noto quite
2023-04-20 12:19:26 <psykose> seems to say partial relro even when NOW is present
2023-04-20 12:20:26 <psykose> also can't detect any fortify of course
2023-04-20 17:21:41 <jvoisin> anything people here would like to get fuzzed?
2023-04-20 17:21:59 <jvoisin> (I'm paid by Google to do this kind of stuff, so if it's beneficial for alpine, it's even better)
2023-04-20 17:22:58 <ikke> has apk-tools been fuzzed?
2023-04-20 18:41:20 <idkrn[m]> <jvoisin> "(I'm paid by Google to do this..." <- Are you employed or contracted?
2023-04-20 19:50:29 <jvoisin> employed
2023-04-20 19:50:47 <jvoisin> ikke: it doesn't seems so
2023-04-20 19:50:50 <jvoisin> I'll look at it
2023-04-20 23:20:45 <idkrn[m]> <jvoisin> "anything people here would..." <- Init lol
2023-04-20 23:21:01 <idkrn[m]> OpenRC or whatever is next
2023-04-21 09:40:59 <pj> busybox, openrc, gcc
2023-04-21 09:41:22 <pj> anything that has lots of patches and is a terrible code
2023-04-21 09:49:18 <ncopa> jvoisin: apk 2.x and 3 (current git) would be nice
2023-04-21 11:41:23 <jvoisin> idkrn[m]: what would be the point of fuzzing the init system? It shouldn't ever handle untrusted stuff
2023-04-21 11:41:40 <jvoisin> ncopa: yup
2023-04-21 14:30:00 <jvoisin> the problem is that I'd have to mock a database, meh
2023-04-21 14:33:07 <psykose> well yeah
2023-04-21 14:33:30 <jvoisin> for dpkg, it's `dpkg -i ./fuzz_deb` and YOLO
2023-04-21 14:34:30 <psykose> maybe that's why it sucks /s
2023-04-21 21:15:37 <idkrn[m]> <jvoisin> "idkrn: what would be the point..." <- What stops it from being attacked while it's running
2023-04-21 21:15:53 <jvoisin> how?
2023-04-21 21:17:48 <idkrn[m]> Idk what makes init special in that regard
2023-04-21 21:17:58 <psykose> fuzzing is about untrusted input
2023-04-21 21:19:17 <jvoisin> https://en.wikipedia.org/wiki/Fuzzing
2023-04-21 21:20:08 <idkrn[m]> https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet
2023-04-21 21:20:20 <idkrn[m]> psykose: I know
2023-04-21 21:21:57 <psykose> that's an example of untrusted input indeed
2023-04-21 21:22:03 <psykose> so fuzzing systemd makes sense
2023-04-21 21:22:10 <psykose> i don't think busybox pid1 does anything at all though
2023-04-21 21:33:51 <idkrn[m]> Is it not OpenRC?
2023-04-21 21:34:05 <ikke> We use bb init
2023-04-21 21:34:14 <idkrn[m]> Since when
2023-04-21 21:34:17 <ikke> since ever
2023-04-21 21:34:22 <idkrn[m]> What
2023-04-21 21:34:43 <ikke> pid1 != service manager
2023-04-21 21:35:24 <psykose> rc- commands from openrc don't necessarily have much untrusted input either
2023-04-21 21:35:45 <idkrn[m]> "Init System (OpenRC) (configure a service to automatically boot at next reboot)"
2023-04-21 21:35:45 <idkrn[m]>  https://wiki.alpinelinux.org/wiki/Installation#:~:text=Init%20System%20(OpenRC)%20(configure%20a%20service%20to%20automatically%20boot%20at%20next%20reboot)
2023-04-21 21:36:11 <idkrn[m]> > <@idkrn:envs.net> "Init System (OpenRC) (configure a service to automatically boot at next reboot)"
2023-04-21 21:36:11 <idkrn[m]> >  https://wiki.alpinelinux.org/wiki/Installation#:~:text=Init%20System%20(OpenRC)%20(configure%20a%20service%20to%20automatically%20boot%20at%20next%20reboot)
2023-04-21 21:36:11 <idkrn[m]> ikke: this says init
2023-04-21 21:36:23 <ikke> wiki pages can be incorrect
2023-04-21 21:36:26 <Foxboron> All inits parse some form of untrusted input fwiw
2023-04-21 21:36:42 <idkrn[m]> ikke: Wtf
2023-04-21 21:37:02 <psykose> people generally shorthand all service stuff to 'init'
2023-04-21 21:38:29 <idkrn[m]> https://twitter.com/ariadneconill/status/1375085251526021132
2023-04-21 21:38:57 <idkrn[m]> Fuck they deleted Twitter
2023-04-21 21:41:44 <idkrn[m]> psykose: People clearly hate me
2023-04-21 21:41:50 <psykose> whadya mean
2023-04-21 21:42:04 <idkrn[m]> Misleading me like this 😭
2023-04-21 21:44:23 <psykose> :)
2023-04-21 22:07:03 <idkrn[m]> <Foxboron> "All inits parse some form of..." <- Don't they have to?
2023-04-21 22:13:14 <idkrn[m]> Maybe just fuzz all suid binaries lol
2023-04-22 17:24:03 <pj> ikke: "Alpine Linux is a very simple distribution that will try to stay out of your way. It uses its own package manager called apk, the OpenRC init system, script driven set-ups and that’s it!"
2023-04-22 17:24:20 <pj> from https://alpinelinux.org/about/
2023-04-22 17:25:30 <psykose> securealpine hacked the domain
2023-04-22 17:32:56 <ikke> pj: simplified for breviry :P
2023-04-22 17:33:01 <ikke> brevity*
2023-04-22 18:32:56 <idkrn[m]> <ikke> "pj: simplified for breviry :P" <- Seems more like lying :/
2023-04-28 10:36:34 <ncopa> lets update go on tuesday https://groups.google.com/g/golang-announce/c/vFRFE07dbB8/m/vM-aS7KGAAAJ?pli=1
2023-04-28 12:02:07 <jvoisin> it's annoying that there is no severity :/
2023-04-28 17:13:40 <minimal> any thoughts regarding patching Busybox's password tools to support bcrypt? There have been patches submitted to the Busybox list in May 2020 and Jan 2023 for this but they've not been merged
2023-04-28 22:49:51 <jvoisin> minimal: poke upstream again?
2023-04-28 22:50:57 <minimal> upstream BB dev has been slow for some time, I guess as a side-effect of Ukraine situation
2023-04-28 23:13:13 <psykose> been somewhat getting back into it
2023-04-28 23:29:03 <minimal> yeah looking at commit log seems thing picked up in past month