Misfile essential documents.

Project Vicigol - Reverse-engineering a 28-bit RISC CPU has been released on media.ccc.de and YouTube #gpn23 #HardwareandMaking #ZKMKubus #gpn23eng https://media.ccc.de/v/gpn23-144-project-vicigol-reverse-engineering-a-28-bit-risc-cpu https://www.youtube.com/watch?v=5I1OIrXnM1Q https://cfp.gulas.ch/gpn23/talk/KBQBE7/

Insecure defaults can lead to surprises. When creating FIFO sockets with systemd, be sure to note that SocketMode defaults to 0666 - that is world readable and writable. That is: any local user can communicate with the FIFO. If your FIFO is used to perform privileged operations you must ensure that either the FIFO file itself is located in secured location or set SocketMode to stricter value.

I spotted one such insecure use in cloud-init: the hotplug FIFO was world writable. This is CVE-2024-11584 and fixed in cloud-init 25.1.3.

The commit fixing this is in https://github.com/canonical/cloud-init/pull/6265

#CVE_2024_11584 #ubuntu #systemd #infosec #cybersecurity

Project: pypy/pypy https://github.com/pypy/pypy
File: rpython/rlib/parsing/deterministic.py:217 https://github.com/pypy/pypy/blob/9abbb4f358a5c308aefb85652a229cc98f899e13/rpython/rlib/parsing/deterministic.py#L217

def make_code(self):

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fpypy%2Fpypy%2Fblob%2F9abbb4f358a5c308aefb85652a229cc98f899e13%2Frpython%2Frlib%2Fparsing%2Fdeterministic.py%23L217&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fpypy%2Fpypy%2Fblob%2F9abbb4f358a5c308aefb85652a229cc98f899e13%2Frpython%2Frlib%2Fparsing%2Fdeterministic.py%23L217&colors=light

Every damn day

The libxml2 maintainer is no longer accepting embargoed security reports. They just get treated like regular issues.

This bit in a comment on the announcement really resonates with me:

> these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.

Too often a company will depend on some library, and then when there are issues with it, shame the maintainer into fixing them. "There's a problem with your project, it is your responsibility to fix it".

No.

You chose to build on top of this library, and with that took on all responsibility that comes with that choice. Any tech debt or bugs are now YOUR tech debt and bugs. What are you going to do about them?

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 0051a550

asn1_cb

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0051a550.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0051a550.json&colors=light

https://links.fabiomanganiello.com/share/683ee70d0409e6.66273547

PHRACK is coming to #DEFCON! We're printing ~10,000 zines and giving an hour-long talk you won't want to miss! Stay tuned. 🔥 #40yrsOfPhrack #phrack72

We did a presentation at Null Byte Security Conference last year entitled "The importance of a rigorous methodology in information security research". The presentation aimed to introduce security professionals to the importance of rigor in information security research, but also to other aspects.

We consider rigor very important for the information security industry.

We have observed, over more than 15 years in the field, that many beginners lack a solid understanding of rigor and the scientific method, which hinders their learning and growth.

The audience was mostly people starting in the information security industry, and we tried to make it simple, but not simpler. The slides can be found at the link below:

https://allelesecurity.com/wp-content/uploads/2025/06/The-importance-of-a-rigorous-methodology-in-information-security-research.pdf

CVE-2025-48706 - Out-of-bounds read in COROS PACE 3

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-028.txt

Watch Out! Bluetooth Analysis of the COROS PACE 3

https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/