The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code. This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments.
13 years. That’s how long it took to find a critical safety vulnerability in one of the most popular C open source codebases, Redis. This is software that was expertly written by some of the best engineers in the world and yet, mistakes can still happen! It’s just that in C a “mistake” can often mean a memory-safety bug that would put user data at risk (…) That’s the nature of memory-safety bugs in C: they can hide in plain sight.
Why did you make me read these paragraphs without explaining how they connect to the context? Let me guess: they don’t connect to the context, you’re just designing your replies to mislead people dumb enough to be vulnerable to your manipulation tactics? With no consideration for me whose time/energy you’re wasting, much less them who you’re confusing?
Make sure you know exactly what “compiler” and “backdoor” mean. With that, you can probably skip the rest of this comment.
aubeynarf seems to be framing things in a way that might make you think C is immune to compiler backdoors, and might also make you think we’re in agreement on that point. That’s based on absolutely nothing. C has no special resistance to compiler backdoors. I hear Rust introduces new risk here, but I don’t see any reason to reframe that as all the risk with C being in other areas.
aubeynarf seems to be framing things in a way that might make you think security exploits all have similar levels of severity. Like, if you make a list of 100 exploits, it will be about the same severity as any other list of 100 exploits. That is not true. Scoring would be based on what damage the exploits can do, not how many there are.
If aubeynarf’s framing makes it seem like known exploits are scored by sheer quantity, that would also imply security experts put a lot of focus on “scoring” known exploits at all. We don’t. We might put a lot of energy into counting and scoring unknown exploits if we could, but we can’t, so this is again not an honest mistake or a slight twist from reality - it’s completely made up from nothing. Not only would quantity be unrelated if we did have a big use for scoring known exploits, but we don’t. Known exploits are not unknown exploits. We’re trying to expose unknown exploits, and fix them. Counting and scoring the known ones is just something that happens along the way. We would never weigh the entire concept of compiler backdoors by counting the ones we’ve identified.
aubeynarf seems to be framing things to set an impression of “oh this guy knows what he’s talking about and he thinks compiler backdoors are no big deal, so they must be no big deal.” If you fall for that, there’s not much I or anyone can do for you.
I am not banning anyone, you were quite civil in this “fight” 1
Do keep in mind that all this has a lot of “editor wars” vibes. But the conflict goes beyond Debian (e.g. including Rust in Linux kernel), and actual harmful discussions between Rust and C/C++ people is REAL, damaging our communities, and very much driven by generations/ network-effect. And this is just sad. It’s not a technical issue, and overcoming it seems nearly impossible at the moment.
–
1 I’d call it discussion, but it seems to me that ‘whoever loves Digit’ was ranting more on their own behalf… as per their own words:
Awareness should be raised for this stuff, because people are sadly not as concerned as they should be about the state of cybersecurity right now. It’s particularly an issue in Linux / FOSS circles where there seems to be more of a false sense of security these days.
I agree with these words, but not all you said (specifically, backdoors to me are a smaller concern in the software industry nowadays in comparison to the Redishell provided that you were unable to fully understand). Anyway, I don’t see reason to remove any of the most downvoted comments you have. But I will take the opportunity here to raise a warning to you. OR, let’s make it a personal advice: arguing on the internet is not worth the emotional toll. As with any advice, you can either take it or leave it. Good luck!
Do keep in mind that all this has a lot of “editor wars” vibes. But the conflict goes beyond Debian (e.g. including Rust in Linux kernel), and actual harmful discussions between Rust and C/C++ people is REAL, damaging our communities, and very much driven by generations/ network-effect. And this is just sad. It’s not a technical issue, and overcoming it seems nearly impossible at the moment.
Is this the reason you give me a “warning” later in your reply? I’m not getting the exact point clearly. This topic is “harmful,” but I don’t think you warned everyone else discussing it? So what is the actual warning? Are you telling me not to reply in threads on this topic in the future?
backdoors to me are a smaller concern in the software industry nowadays in comparison to the Redishell provided that you were unable to fully understand
Backdoors are a top priority concern in consumer electronics. I hope nobody lets themselves be mislead on that fact here.
I have no idea what “Redishell” is. I don’t think there was any point in this thread where I said anything about it, so what are you talking about with me being “unable to fully understand” it? Couldn’t you try telling me what it is and checking how much I understand before saying that? Am I totally forgetting something?
Whatever it is, it sounds like you’re implying it’s a security vulnerability that cannot be a backdoor, which I definitely don’t understand when I have no idea what it is.
I am not saying this as a moderator: you’re person of obnoxious answers. Probably far too intelligent to even consider that you’re actually interacting with other human beings that may not want to engage or sacrifice their time with your rants. But I don’t ban based on personality.
Anyway, I don’t have to answer any of your questions. Typing comes too fast on your keyboard. Try stepping away, read, click the links (like redishiel CVE), take a deep breath, live more calmly.
I will post a reply to you reply on Redishell. So that you can check again what happened there. You went too fast and hit your own wall.
I’m the guy you were replying to here. I’m not spouting any nonsense in this thread. Did you reply to the wrong person, or is this a false accusation?
Why did you make me read these paragraphs without explaining how they connect to the context? Let me guess: they don’t connect to the context, you’re just designing your replies to mislead people dumb enough to be vulnerable to your manipulation tactics? With no consideration for me whose time/energy you’re wasting, much less them who you’re confusing?
Our team has reviewed this interaction, and cannot issue a refund at this time.
For anyone confused:
Here’s your reply to Redishell. You answered “To anyone confused: […]” and went on and on talking about backdoors.
Still not getting your point. Is there a reason I should read about Redishell?
This is what a tryhard looks like, lol! You’re really twisting yourself around to “win” aren’t you?
What do you mean?
the only loss here is my time as a moderator :P
I am not banning anyone, you were quite civil in this “fight” 1
Do keep in mind that all this has a lot of “editor wars” vibes. But the conflict goes beyond Debian (e.g. including Rust in Linux kernel), and actual harmful discussions between Rust and C/C++ people is REAL, damaging our communities, and very much driven by generations/ network-effect. And this is just sad. It’s not a technical issue, and overcoming it seems nearly impossible at the moment.
–
1 I’d call it discussion, but it seems to me that ‘whoever loves Digit’ was ranting more on their own behalf… as per their own words:
I agree with these words, but not all you said (specifically, backdoors to me are a smaller concern in the software industry nowadays in comparison to the Redishell provided that you were unable to fully understand). Anyway, I don’t see reason to remove any of the most downvoted comments you have. But I will take the opportunity here to raise a warning to you. OR, let’s make it a personal advice: arguing on the internet is not worth the emotional toll. As with any advice, you can either take it or leave it. Good luck!
I value mine more than yours, sorry.
Is this the reason you give me a “warning” later in your reply? I’m not getting the exact point clearly. This topic is “harmful,” but I don’t think you warned everyone else discussing it? So what is the actual warning? Are you telling me not to reply in threads on this topic in the future?
Backdoors are a top priority concern in consumer electronics. I hope nobody lets themselves be mislead on that fact here.
I have no idea what “Redishell” is. I don’t think there was any point in this thread where I said anything about it, so what are you talking about with me being “unable to fully understand” it? Couldn’t you try telling me what it is and checking how much I understand before saying that? Am I totally forgetting something?
Whatever it is, it sounds like you’re implying it’s a security vulnerability that cannot be a backdoor, which I definitely don’t understand when I have no idea what it is.
I am not saying this as a moderator: you’re person of obnoxious answers. Probably far too intelligent to even consider that you’re actually interacting with other human beings that may not want to engage or sacrifice their time with your rants. But I don’t ban based on personality.
Anyway, I don’t have to answer any of your questions. Typing comes too fast on your keyboard. Try stepping away, read, click the links (like redishiel CVE), take a deep breath, live more calmly.
I will post a reply to you reply on Redishell. So that you can check again what happened there. You went too fast and hit your own wall.
deleted by creator
I only said that I agreed with you in those words…
Do you think backdoors are the only threat? or the biggest?? in both cases, you’d be wrong. That’s the whole point in this exchange of opinions.