"Buffer Overflow Vulnerability in WebSocket Handling".
A bot? An AI? Just a silly reporter? Another fine waste of #curl maintainer time.
curl disclosed on HackerOne: Buffer Overflow Vulnerability in...
## Summary: Hello security team, Hope you are doing well :) I would like to report a potential security vulnerability in the WebSocket handling code of the curl library. The issue is related to...HackerOne
OndΕej Caletka reshared this.
πππππ
in reply to daniel:// stenberg:// • • •Harsh Shandilya
in reply to daniel:// stenberg:// • • •Juliette
in reply to daniel:// stenberg:// • • •This just popped up in my timeline and seems apropos
phpc.social/@stratlantic@musicβ¦
daniel:// stenberg://
Unknown parent • • •Gina HΓ€uΓge
in reply to daniel:// stenberg:// • • •winnie, the disassembling bear
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to winnie, the disassembling bear • • •I can set different filter levels, but in this case the first submission they did was not obviously rubbish so nobody would have filtered it out without closer inspection. I did not either.
We have to remember language barriers and cultural differences. Sometimes it takes a little back and forth before the real details reveal. I cannot just immediately shout AI just because they phrase themselves oddly.
MegatronicThronBanks
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to MegatronicThronBanks • • •L
in reply to daniel:// stenberg:// • • •These kinds of reports will probably end up with maintainers (understandably) dismiss any clearly LLM-written report...
Nikita Karamov
in reply to daniel:// stenberg:// • • •> Certainly! Let me elaborate on the concerns raised by the triager
Oof, I can smell ChatGPT from a mile away π Crazy how they've just kept it in, even though it makes it seem like they're addressing themselves in the third person π€¦π»ββοΈ
TheStroyer
in reply to daniel:// stenberg:// • • •Brodie Robertson
in reply to daniel:// stenberg:// • • •Mitsunee | ε ι³
in reply to daniel:// stenberg:// • • •the TL;DR I got from this is:
- strcpy might cause a buffer overflow
- there is bounds checking
- yes but that might not be sufficient
- can you show an example where it's not sufficient
- *insert example where bounds checking is sufficient*
Very clear that whatever AI was used cannot understand code at all, huh?
Melroy van den Berg
in reply to daniel:// stenberg:// • • •RefCell { value: <borrowed> }
in reply to daniel:// stenberg:// • • •that's quite obviously a LLM (looks very much like it and GPTzero says 91% likely), but does anyone know why people do that?
I'm legit curious if that's just someone "having fun" hooking up the ChatGPT API to a bot, or if there's actually a financial goal behind that. I can see this being useful to give credibility to a Reddit account but here, they're not gaining anything at all
daniel:// stenberg://
in reply to RefCell { value: <borrowed> } • • •Purple @ EF
in reply to daniel:// stenberg:// • • •