this post was submitted on 06 Jul 2023
91 points (97.9% liked)
Technology
59373 readers
8218 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not a comment but a question- does this potentially affect Lemmy servers as well?
This bug was a result of the way that Mastodon handled file uploads. Because of the way that Mastodon attempted to figure out what kind of file that a user uploaded, it was possible to create a very specific type of multimedia file that would, when analyzed by the server, trick the server into executing its contents like code rather than an image or movie file. Unless Lemmy processes files the same way, Lemmy should be unaffected.
Directly probably not. Its more likely an implementation issue than a federation issue.
“Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location"
I doubt lemmy and mastodon share image parsing code
I’d not be so confident given just how quickly the rollout happened. Remember, we’re talking only a matter of weeks. (I’m a little more comfortable with things especially with the frequency of updates this far - I’ve installed 2 today)
Lemmy has been in development since 2019. And Lemmy uses pict-rs for images.
Nope, other than the use of the ActivityPub standard to communicate information, Mastodon and Lemmy are entirely separate pieces of software. Whether Lemmy, Kbin and similar also have vulnerabilities that would allow for a similar exploit are dependent on how they've been designed.