qprimed

joined 3 years ago
[–] qprimed@lemmy.ml 3 points 12 hours ago

drones are cheap.

[–] qprimed@lemmy.ml 8 points 1 day ago

you know the ecosystem is FUBAR when this is your (and my) very first thought when a vuln pops up.

[–] qprimed@lemmy.ml 3 points 1 day ago

a security site that (kinda) demands JS shields down? sigh... anyway here is the article for those that prefer to not do silly things...

cw: OOB writes and race conditions.Open source antivirus scanning sits inside mail gateways, file upload checks, and endpoint tooling at organizations of every size. Much of that work runs through ClamAV, the scanning engine maintained by Cisco’s Talos group. The project released two patch versions, 1.5.3 and 1.4.5, carrying fixes for seven security flaws along with smaller hardening changes.

Most of the patched bugs sit in the code that unpacks and parses executable formats, the part of a scanner built to handle hostile input. CVE-2026-20213 is an integer overflow in the PE rebuild size calculation that a malformed Aspack-packed file can trigger, leading to a heap buffer overflow write. The related CVE-2026-20214 covers an FSG unpacker loop underflow that can write past the section array during a scan of a crafted PE file. Both reach far back through the codebase, with the FSG issue present in builds dating to 2004.

CVE-2026-20217 rounds out the PE group. A bug in the PESpin unpacker cleanup path could free pointers into the scanned file buffer and crash the scanner. That flaw has lived in the code since 2005. Archive and image format bugs

Three more fixes address archive and disk-image handling. CVE-2026-20215 is a 7z parser substream count overflow that can under-allocate parser metadata arrays and then write past them when reading a crafted archive. CVE-2026-20243 covers ALZ parser size handling errors that can make malformed ALZ archives panic, abort the scanner, or skip expected scan-limit handling. CVE-2026-20216 is an InstallShield archive extraction limit bypass that can write far more temporary data than intended and drain temporary storage.

The last parsing flaw, CVE-2026-20244, sits in the 32-bit DMG parser. A short mish stripe table could pass validation and crash the scanner. This one affects only 32-bit builds, going back to version 0.98.1, and leaves 64-bit builds untouched. Quarantine race condition

The releases also harden the quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races. Under unsafe quarantine directory settings, those races could redirect files as the scanner copied, moved, or removed them. Hiroki Imai of Ricerca Security, Inc. reported the issue.

Version 1.5.3 adds a few items beyond 1.4.5. It upgrades the Rust tar dependency to resolve two RUSTSEC advisories and moves the Rust openssl dependency past CVE-2026-41676. Metadata preclass scans now run before the final scan verdict. A ClamOnAcc fix addresses hash bucket list corruption when two watched paths land in the same bucket. Both releases raise the minimum CMake version to 3.17 to repair Linux builds that link static dependencies against libcurl v8.21.0.

The release files are available on the GitHub release page, and through Docker Hub in Alpine and Debian containers.

[–] qprimed@lemmy.ml 2 points 1 week ago

an absolutely amazing interview. I spent years of my childhood reading technical documents from this man. he and jay miner were heros of mine and the amiga completely changed my relationship with technology.

[–] qprimed@lemmy.ml 49 points 1 week ago (1 children)

the words. they have committed a murder.

[–] qprimed@lemmy.ml 7 points 1 week ago (1 children)

turns it into homemade napalm - sticky.

[–] qprimed@lemmy.ml 6 points 1 week ago

knives (three different ones)

loved your write up. thank you.

[–] qprimed@lemmy.ml 1 points 2 weeks ago (3 children)

dont discount the utility of running containers in an abstracted Hardware Virtual Machine (HVM) away from your physical hardware. it expands your testing surfaces and sandboxes immeasurably.

[–] qprimed@lemmy.ml 29 points 2 weeks ago (2 children)

also...

That means the US only has 197.25 million barrels left before the caverns could face irreparable damage. If the US consumers, who use 20 million barrels a day, had to rely exclusively on the SPR, the US only has less than a 9-day supply of reserves.

insane. just fucking insane.

[–] qprimed@lemmy.ml 15 points 2 weeks ago

finally! after 11 wretched years... real inspiration to correctly use the phrase "i'm with her".

[–] qprimed@lemmy.ml 25 points 2 weeks ago

“It has seen its job as explaining why we cannot instead of showing how we can, and that old way of thinking will lose on Tuesday. And frankly, it will lose in South Carolina and New Hampshire. It will fall short of 270 electoral votes, because the party of the past will not be what leads us into the future.”

the man is legitimately on fire.

[–] qprimed@lemmy.ml 4 points 2 weeks ago* (last edited 2 weeks ago)

just installed forgejo on a locally hosted lxc instance on a spare qemu VM. will use primarily for my own projects and external devs who collaborate on client projects.

doing my part to give an nvidia sized/shaped "torvalds" to ms.

edit: love it. glad I finally pulled the trigger on this.

 

interesting workup on the latest set of US jobs numbers and the corp. media propaganda surrounding them.

 

Dave explains the magic of fopen and the multiple ways it can be used that many programmers do not even know about.

 

any suggestions on enclosure or room temp/humidity sensors? PoE network connected would be ideal, but USB works as well (cheap, simple). polling/transformation of data will ultimately be done by a raspi 3b.

open software/hardware is highly desirable and, as long as data is structured, I can transform as needed for insertion into a zabbix backend.

thanks for any recommendations :-)

 

We used to think Mimas was a dead world, famous only for the massive crater that gives the moon an uncanny resemblance to the Death Star. But in 2024, scientists discovered a secret hidden beneath its battered shell: a vast, liquid ocean we didn’t know existed.

Timestamps

  • 0:00 The Death Star Moon
  • 2:00 Herschel Crater
  • 6:36 Pac-Man Boundary
  • 9:24 Splitting Saturn’s Rings
  • 12:08 Mimas vs Enceladus
  • 15:00 Hidden Ocean
  • 18:07 Could Mimas Have Life?
 

have enjoyed this quite a bit. its funny, science-y and a great downtime listen with a nice hhgttg feel. production will hopefully continue with a little more attention.

available via search in antennapod, via the website or this RSS feed.

 

have enjoyed this quite a bit. its funny, science-y and a great downtime listen with a nice hhgttg feel. production will hopefully continue with a little more attention.

available via search in antennapod, via the website or this RSS feed.

12
submitted 1 year ago* (last edited 1 year ago) by qprimed@lemmy.ml to c/privacy@lemmy.ml
 

I have noticed recently (perhaps within the last 6-12 months?) that I can hit many major sites via Tor with JavaScript off. there are a few that reject Tor connections or render illegibly - but, for many mainstream sites, things are actually pretty reasonable. fingerprinting and personal threat models aside, this seems like a positive move and feels different from e.g. 2 years ago.

am I slowly going insane? has anyone else noticed this? tested over time via orbot and classic Tor nodes with various hardened and non-hardened browsers and DNS resolvers.

 

super tight fit and I had to shear off a tiny tab on the wiper blade to complete the install, however its all good and solid.

wife gave me the "damn, you're useful" smile. good times.

18
submitted 3 years ago* (last edited 3 years ago) by qprimed@lemmy.ml to c/jerboa@lemmy.ml
 

just updated to the v0.0.35 f-droid build and jerboa started to consistently crash at seemingly random times. likewise, I would get web UI error notifications while using the web frontend.

did a little testing and noticed that it may be related to the "show avatars" setting being enabled.

turning "show avatars" off and saving the settings seems to have eliminated the issues on both web and app.

will continue to test and update the post if needed. any others able to confirm or refute this particular issue might be helpful.

edit: there are still crashes related to editing a post, but crashes while scrolling through posts and comments seem to be much reduced. any feedback is welcome.

edit2: further poking suggests the underlying cause may be jerboa not handling server response timeouts well. turning off avatars may reduce the number of API calls and therefore the number of potentially mishandled timeouts. crash frequency is likely variable as a result of variable server load. if others also experience reduced crash frequency with avatars turned off then I can either create a github issue or add info to an existing one.

 

sorry about the quality - was stopped (safety first) but dealing with poor picture taking conditions.

 

Just checked the Jerboa git and...

Had to document it for posterity.

 

I know that many of us already know this, but it should repeated as often as needed.

we are the network -- the network is us.

social is nothing without the interactions that we create. reddit was just a place; a place that, because of a centralized power dynamic, abused us all.

we have are now at a cultural juncture, an opportunity to bring back what each of us knows to be true. our interactions do not need to capitalized, marketed and sold.

we are not products. we are the network.

please, find communities that even mildly interest you or catch you eye, join them and comment on posts.

just had this conversatin with the wife and she is joining Lemmy to start her own federated social journey.

/end_rant

view more: next ›