spf

2 Articles

This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

Beach Buddy Is A Boombox, Phone Charger, And Sunburn Warner

August 18, 2014 by 6 Comments

The Beach Buddy

When you venture out onto the beach for a day in the sun, you’re probably not preoccupied with remembering the specifics about your sunscreen’s SPF rating—if you even remembered to apply any. [starwisher] suffered a nasty sunburn after baking in the sunlight beyond her sunscreen’s limits. To prevent future suffering, she developed The Beach Buddy: a portable stereo and phone charger with a handy sunburn calculator to warn you the next time the sun is turning you into barbecue.

After telling the Beach Buddy your skin type and your sunscreen’s SPF rating, a UV sensor takes a reading and an Arduino does a quick calculation that determines how long until you should reapply your sunscreen. Who wants to lug around a boring warning box, though?

[starwisher] went to the trouble of crafting a truly useful all-in-one device by modifying this stereo and this charger to fit together in a sleek custom acrylic enclosure. There’s a switch to activate each function—timer, charger, stereo—a slot on the side to house your phone, and an LCD with some accompanying buttons for setting up the UV timer. You can check out a demo of all the Beach Buddy’s features in a video below.

Continue reading “Beach Buddy Is A Boombox, Phone Charger, And Sunburn Warner”