@GossiTheDog Friday the 13th's bugs hatched during the weekend I guess

[oss-security] CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract

https://www.openwall.com/lists/oss-security/2025/06/16/5

Exquisite bug!

This exploited-in-the-wild issue is an interesting twist on binary planting that we were working on a decade and a half ago. The DLL/EXE search order just keeps on giving (to attackers, that is). https://binaryplanting.com

It turned out that all our security-adopted Windows versions were affected by this issue, so we created micropatches for them all. These are already distributed and applied to all online affected systems.

We would like to thank security researchers Alexandra Gofman and David Driker with @_cpresearch_ for detecting the exploitation and publishing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053) https://blog.0patch.com/2025/06/micropatches-released-for-webdav-remote.html

Listen up Mastodonians, because this is important:

Right now we have a unique chance to rise up and hit back against Zuckerberg and Musk. Because italian filmmaker @_elena and her friends have made an OUTSTANDING short film, which explains why people should quit the fascist social networks and come join us in the fediverse.

Hit the fascists where it hurts — make this go viral by watching it and liking it on YouTube, then hit the share button and share it everywhere!

https://www.youtube.com/watch?v=YRJHIJy5Nno

Crypto: Sponsoring military parades for the Great Leader’s birthday

Just like Satoshi envisioned it.

@patcharcana @cR0w https://www.youtube.com/watch?v=mW9PvYYH9lA

#VibeCoding your MFA

New vulnerability report from Talos:

Asus Armoury Crate AsIO3.sys authorization bypass vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2150

CVE-2025-3464

New vulnerability report from Talos:

Asus Armoury Crate AsIO3.sys stack-based buffer overflow vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2144

CVE-2025-1533

https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr

When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges.

radare2 is now shipping extra panel layouts in the default installation. Do you have custom layouts you enjoy in panels mode? https://github.com/radareorg/radare2/pull/24296 #reverseengineering #tui

From "All About Computers", published in 1984.

Adapting an Old Rotary Dial for Digital Applications

https://hackaday.com/2025/06/13/adapting-an-old-rotary-dial-for-digital-applications/

[RSS] Offline Extraction of Symantec Account Connectivity Credentials (ACCs)

https://itm4n.github.io/offline-extraction-of-symantec-account-connectivity-credentials/

It's great to have everything-as-code because of reproducibility, etc., except now the cloud infra you are targeting can and will randomly fail in unpredictable ways.

Today's the deadline to submit to Phrack 72:

https://bird.makeup/@phrack/1901633924532408680

GIMP Heap Overflow Re-Discovery and Exploitation (CVE-2025–6035) by @craigtweets

https://medium.com/@cy1337/malloc-overflow-deep-dive-9357eeef416b

Another #Rust adventure for the weekend:

Signed/unsigned (two's complement) command-line integer converter based on num_bigint:

https://github.com/v-p-b/twos

Designing the interface was surprisingly tricky, no wonder most online converters aren't great...

I also tried to do a diff on CLFS.sys to track down CVE-2025-32713 but #Ghidra fails to decompile multiple functions so the output is not as clean as I wished it to be:

https://gist.github.com/v-p-b/b180fa1b0e2b391153a0c7fca265a104

This #PatchTuesday sparked no joy :(