this post was submitted on 06 Jul 2023
112 points (97.5% liked)

Technology

59575 readers
3078 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 6 comments
sorted by: hot top controversial new old
[–] npmstart_pray@lemmy.fmhy.ml 7 points 1 year ago (3 children)

Not a comment but a question- does this potentially affect Lemmy servers as well?

[–] jjagaimo@lemmy.ca 7 points 1 year ago* (last edited 1 year ago) (1 children)

Directly probably not. Its more likely an implementation issue than a federation issue.

“Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location"

I doubt lemmy and mastodon share image parsing code

[–] npmstart_pray@lemmy.fmhy.ml 0 points 1 year ago (1 children)

I’d not be so confident given just how quickly the rollout happened. Remember, we’re talking only a matter of weeks. (I’m a little more comfortable with things especially with the frequency of updates this far - I’ve installed 2 today)

[–] BrikoX@vlemmy.net 6 points 1 year ago

Lemmy has been in development since 2019. And Lemmy uses pict-rs for images.

[–] wagesj45@kbin.social 5 points 1 year ago

This bug was a result of the way that Mastodon handled file uploads. Because of the way that Mastodon attempted to figure out what kind of file that a user uploaded, it was possible to create a very specific type of multimedia file that would, when analyzed by the server, trick the server into executing its contents like code rather than an image or movie file. Unless Lemmy processes files the same way, Lemmy should be unaffected.

[–] rehendix@kbin.social 1 points 1 year ago

Nope, other than the use of the ActivityPub standard to communicate information, Mastodon and Lemmy are entirely separate pieces of software. Whether Lemmy, Kbin and similar also have vulnerabilities that would allow for a similar exploit are dependent on how they've been designed.

load more comments
view more: next ›