Conversation

at least once: CVE-2019-9195 Grin node (Rust) remote code execution vulnerability reported by

grin-forum.org/t/critical-vul fixed in 1.02

Quote Tweet

May 13, 2019

My idea of remote code execution security is "Use Rust"; I would not be surprised if I screwed up once or twice. Looking forward to Philip Daian applying these new high standards to Emin "Sell your Bitcoin" Sirir. Or more importantly, his ridiculous Zcash claims. twitter.com/phildaian/stat…

Show this thread

Replying to

and

Well, at least it's not a memory corruption issue. Also love how archive directory traversal, which has been known for decades, suddenly has a funky name.

Replying to

and

Security best practices also don't just include using a memory safe language but also enforcing that nothing other than the update system can write to data that can be executed. A server process shouldn't be run with the privilege to modify itself or anything directly executable.

6:25 PM · May 13, 2019Twitter Web Client

Replying to

There's a mistake in the design of the system beyond just a specific file write bug if the file write bug can trivially lead to code execution, similarly to how using a language where common mistakes become exploitable memory corruption bugs is not just about individual mistakes.

Replying to

and

in my experience path traversal -> code execution most of the time in practice

Show replies