5 Oct 2024 |
emily | relevant comment about timing / multiple sessions https://matrix.to/#/!NBBFPbiuttRgTqbrcY:nixos.org/$-nf3vPAiCozFLiNCXkzyvCjEZ9W57MT7dOBOLu9ee_U?via=nixos.org&via=matrix.org&via=nixos.dev | 03:18:05 |
emily | and pointer to earlier discussion from there | 03:18:10 |
ElvishJerricco | yea, so my guess is that there is some vulnerability here, that's probably quite difficult to take advantage of | 03:18:26 |
ElvishJerricco | part of it depends on when exactly pam_sm_open_session happens. | 03:21:29 |
ElvishJerricco | But I think you can make that not matter by having a non-gdm session open before gdm-autologin happens | 03:27:53 |
ElvishJerricco | which is probably plausible with systemd user lingering | 03:28:04 |
ElvishJerricco | oh that was easier than I thought | 03:55:46 |
ElvishJerricco | emily: you around? | 03:55:49 |
| magic_rb changed their profile picture. | 22:18:06 |
6 Oct 2024 |
emily | https://github.com/NixOS/nixpkgs/pull/346797 could probably use more opinions/discussion (for once I lean slightly against) | 12:47:22 |
| @sofo:matrix.org left the room. | 15:28:06 |
Winter | yeah i don't like this... i'll write up something | 17:53:22 |
emily | i think we have decent consensus to not mark it right now at this point | 17:57:03 |
7 Oct 2024 |
| Sam Lehman changed their profile picture. | 14:24:09 |
9 Oct 2024 |
Nick Cao | firefox RCE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ | 14:12:28 |
Valodim | whew | 14:20:57 |
emily | @hexa:lossy.network
| 14:30:23 |
hexa | cool. | 14:30:33 |
Vika Shleina (she/her) | In reply to @nickcao:nichi.co firefox RCE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ Is firefox-devedition (131.0b9) vulnerable? Not entirely familiar with Firefox versioning | 14:34:54 |
hexa | very likely | 14:35:09 |
hexa | https://github.com/NixOS/nixpkgs/pull/347500 | 14:38:25 |
Vika Shleina (she/her) | In reply to @hexa:lossy.network very likely There is apparently Firefox 132 beta. I could try my hand at bumping this. | 14:47:08 |
hexa | uh, I can push more to my branch | 14:47:22 |
hexa | ok, bumped | 14:51:20 |
Vika Shleina (she/her) | Thank you! 💖 | 14:51:39 |
hexa | the expensive thing is to test the stuff 🙂 | 14:52:06 |
hexa | ok, firefox is bumped, tested and backported | 18:13:40 |
hexa | I'm kicking the hydra jobsets next | 18:13:57 |
emily | Download image.png | 21:39:41 |
emily | all it needs is a stale bot response for the perfect GitHub comedy | 21:39:44 |