RUST IN WINDOWS ENABLES SEVERE ATTACK VECTOR

https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/

Rust sisters.... did we get to wienery???

Shopping Cart Returner Shirt $21.68

UFOs Are A Psyop Shirt $21.68

Shopping Cart Returner Shirt $21.68

  1. 2 months ago
    Anonymous

    >in Windows
    Not my problem

  2. 2 months ago
    Anonymous

    >rust
    not my peoblem

  3. 2 months ago
    Anonymous

    >The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments.
    Who does that?

    • 2 months ago
      Anonymous

      oh we should just leave it in because "who does that?" - well, anyone writing malware will take advantage of that, which is why it got a 10/10 severity rating. how is the hormone therapy going? grown breasts yet?

      • 2 months ago
        Anonymous

        >oh we should just leave it in because "who does that?"
        Yes, no use case. Won't fix.

  4. 2 months ago
    Anonymous

    >Rust sisters.... did we get to wienery???
    you got the wiener part right (except for the rust trannies that cut off their junk and call themselves emily). been watching rust shills on youtube in absolute panic mode
    > it..it's.. not as bad as it is!
    > 10/10 severity?! ridiculous
    these are the people shilling programming languages: morons that have no comprehension of how anything works, just paid for/bought corporate wiener suckers.

  5. 2 months ago
    Anonymous

    This is not a Rust only problem, this is a problem with Windows commands API in general.

    • 2 months ago
      Anonymous

      coperald, rust is literally not doing anything to make software safer and rustsisters go in full damage control every time

      • 2 months ago
        Anonymous

        if you think that's bad op, a new rust cve dropped that's also pretty fricking horrendous:
        >A timing-based side-channel flaw exists in the rust-openssl package, which could be sufficient to recover a plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages for decryption. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode.
        lmao.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3296

        the people working on the rust project are incapable of programming.

        • 2 months ago
          Anonymous

          If you look into this you discover that no proof of concept exists and that OpenSSL does not consider it a security issue: https://github.com/openssl/openssl/pull/13817#issuecomment-1997568776
          That's timing attacks for you, a giant mess at every layer

        • 2 months ago
          Anonymous

          >a side-channel attack that's practically infeasible to pull off outside a tightly controlled lab
          This is like the new low hanging fruits for security researchers.

        • 2 months ago
          Anonymous

          OpenSSL is not written in Rust. rust-openssl is the Rust bindings for OpenSSL. C shills are so desperate that they are blaming CVEs in code written in C on Rust just because you can call it from Rust code!
          https://github.com/sfackler/rust-openssl

          • 2 months ago
            Anonymous

            >we are too moronic to implement SSL in Rust
            >or wrap existing OpenSSL in safe interface, for that matter

          • 2 months ago
            Anonymous

            How can a wrapper remove timing attacks?

          • 2 months ago
            Anonymous

            just add sleep(random()) in your code, just like you already do in hash tables by using a hash function that thrashes icache every time

          • 2 months ago
            Anonymous

            https://github.com/rustls/rustls

          • 2 months ago
            Anonymous

            ok so why does the openssl wrapper exist?

          • 2 months ago
            Anonymous

            Why do you?

          • 2 months ago
            Anonymous

            to be your superior

          • 2 months ago
            Anonymous

            In case someone wanted to specifically use OpenSSL, I suppose. What, aren't people allowed to have choice?

          • 2 months ago
            Anonymous

            I'd like a choice to turn off the shitty borrow checker.

          • 2 months ago
            Anonymous

            How about write correct code and it won't matter?

          • 2 months ago
            Anonymous

            but the code is correct, the shitty borrow checker just cannot verify it because unlike me it's not intelligent

          • 2 months ago
            Anonymous

            Based on what? If you can't satisfy the borrow checker or uphold the few rules unsafe blocks must hold, then your code is probably wildly incorrect and broken.

          • 2 months ago
            Anonymous

            I have very low tolerance for intellectual dishonesty and I'd prefer if you refrained from it in the future.

          • 2 months ago
            Anonymous

            Then use unsafe and raw pointers if you're so sure of its correctness.

          • 2 months ago
            Anonymous

            cobol basically doesn't have those. You can use an array index in the same fashion though.

          • 2 months ago
            Anonymous

            Programming in COBOL is like pouring a bottle of Everclear directly onto your brain.

          • 2 months ago
            Anonymous

            it should be sobering that cobol is lookin good.

          • 2 months ago
            Anonymous

            >use unsafe for correct and safe code that borrow checker should accept as valid but is too useless to actually do it
            lol, lmao

          • 2 months ago
            Anonymous

            Yes. What's your point? Are you afraid of fricking up or something pussy? I use unsafe all the time. I don't get why you morons don't understand what you're talking about and then say weird nocoder cope all the time.

          • 2 months ago
            Anonymous

            Yes I refuse to mark safe code as unsafe.

          • 2 months ago
            Anonymous

            You can't really implement safe crypto in anything short of platform machine code (or a relatively sugar free assembler) and you still have to make assumptions that the CPU will do what you think it will, which isn't generally guaranteed.

          • 2 months ago
            Anonymous

            just design rust community approved cpu, or something

          • 2 months ago
            Anonymous

            Did you know you can write safely in cobol?

          • 2 months ago
            Anonymous

            I can write safe code in C too, what's your point? Although I'd rather not write any C at all.

          • 2 months ago
            Anonymous

            The more elegant the code, the more risky it is.

          • 2 months ago
            Anonymous

            from my experience it's the opposite, freakish pointer arithmetic in C is basically never safe while C++ abstractions like std::span have perceivable safety guarantees and are trivial to use safely (without any rust brain damage)

          • 2 months ago
            Anonymous

            I think it's true when comparing C to C. gets() is far more elegant than getline() but unfortunately it's a guaranteed buffer overflow vulnerability.
            >C++ abstractions like std::span have perceivable safety guarantees and are trivial to use safely (without any rust brain damage)
            You still have to deal with use-after-free though. I hear string_view is particularly footgunny because of implicit conversions. And std::span's operator[] doesn't require bounds checking, against Bjarne's wishes?
            It's clearly miles better than C but it seems more fricked than Rust's &[T] and &str.

          • 2 months ago
            Anonymous

            I never had an use after free bug in my entire life because I never free.

          • 2 months ago
            Anonymous

            You new everything and never delete? Only pointers on the stack?

          • 2 months ago
            Anonymous

            no I have this cool feature called RAII that Rust trannies blatantly copied then tried to peetend that they pioneered it as can be witnessed ITT.

          • 2 months ago
            Anonymous

            Do you even know what a UAF is? Honest question, because it sounds like you don't. I've seen a lot of shitty C++ code full of them that only started breaking when GCC and libstdc++ changed up some container types.

          • 2 months ago
            Anonymous

            I see a frog and I stop reading.

          • 2 months ago
            Anonymous

            templates are terrorism.

          • 2 months ago
            Anonymous

            I fully support terrorism on a massive scale that causes hurt to innocent people because noone is actually innocent and it's your fault for not shooting foreigners trying to cross the border.

          • 2 months ago
            Anonymous

            Unironically wish we could. There was another side channel attack due to Apple CPUs not implementing the new prefetching extension added to ARMv8 correctly. Only the newest parts properly documented and had a working register to disable it. For some dumb reason, apple implemented it by default which is why it was such a big deal. Unfortunately, Intel is doing the same but the Linux discourse is to basically disable it by default. Not having constant time operations due to prefetching behavior is insane and is a systemic issue in processor design. Remember CPU vendors only care about more speed, not secure designs. Thankfully they're still spending a lot of effort to make sure their CPUs are at least correct.

          • 2 months ago
            Anonymous

            I compiled a custom kernel just so I could disable all nothingburger mitigation pessimizations and I wish that people like you weren't allowed anywhere near hardware.

          • 2 months ago
            Anonymous

            And you're an idiot. Thankfully no one agrees with you or takes you seriously. Reminder disabling mitigations may make your setup slower too. moronic homosexual.

          • 2 months ago
            Anonymous

            I bet range checks make code faster too, troony

          • 2 months ago
            Anonymous

            >I bet range checks make code faster too,
            They do because you can run everything in one address space.

            >troony
            You don't have to sign your posts.

          • 2 months ago
            Anonymous

            the only rangecheck I'll ever use is ptr != end, no usecase known for the rest

      • 2 months ago
        Anonymous

        >rust is literally not doing anything to make software safer
        The windows commands interface is not written in Rust. If Rust is really that bad you shouldn't have to be so desperate to prove it.

        • 2 months ago
          Anonymous

          I don't need to prove anything, burden of proof is on rust trwho only keep proving that they're incompetent

      • 2 months ago
        Anonymous

        Rust prevents memory errors. It will do nothing to stop your moronic ass from making logic errors.

        • 2 months ago
          Anonymous

          memory errors are harder to make than logic errors and my logic is always flawless so I will stick to time tested C++

          • 2 months ago
            Anonymous

            according to that logic you'd still be safer using rust as you'd have an equal amount of logic errors (0) but marginally fewer memory safety errors
            looks like your flawless logic was flawmore all along

          • 2 months ago
            Anonymous

            non sequitur as expected from a troony

          • 2 months ago
            Anonymous

            entirely sequential response to points brought up in anon's message, consider huffing exhaust fumes
            also not trans

          • 2 months ago
            Anonymous

            huffing exhaust fumes is how you became this moronic

          • 2 months ago
            Anonymous

            You already have memory safety if you just don't have any logic errors at all

          • 2 months ago
            Anonymous

            troons can't into logic, don't blame him for not getting it

        • 2 months ago
          Anonymous

          Safety means safety, chud.

          • 2 months ago
            Anonymous

            70 IQ, even taking into account the fact that you're trolling

        • 2 months ago
          Anonymous

          >Rust prevents memory errors.
          Can I bet against this somewhere?

          HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HAHABAHAHHAHAHAHGSGSGSJSJSKDKKDPFFFFFSSSSSSSPLFFFFF

          • 2 months ago
            Anonymous

            I'm serious about this.

            memory is hard.

            100% they messed up. Guaranteed.

      • 2 months ago
        Anonymous

        As opposed to C, where everyone just uses the raw system calls and have to escape commands themselves anyways.

        • 2 months ago
          Anonymous

          Cniles at least don't have security theathre, all problems are well known and addressed, rust trannies can only seethe

          • 2 months ago
            Anonymous

            Admittedly, Rust is only trying to make guarantees about certain types of security vulnerabilities. Command injection by a failure to properly escape shit isn't a memory bug, so this isn't "Rust isn't doing what it promises". The problem will be fixed regardless (in fact it's already been fixed), but there's no violation of expectations.

          • 2 months ago
            Anonymous

            yes it's already established that Rust is useless, I will stick to Ada for security critical software.

          • 2 months ago
            Anonymous

            Ada has significantly worse guarantees than Rust.

    • 2 months ago
      Anonymous

      >all languages with a standard library have the same issue
      They must be getting really desperate if they're scraping the bottom of the barrel like this.

      • 2 months ago
        Anonymous

        >Java
        >Won't fix

    • 2 months ago
      Anonymous

      The moronic shitskin cniles here don't know anything about software, nor do they care about the truth.

      • 2 months ago
        Anonymous

        the truth is that you're seething about this and me still not using rust

        • 2 months ago
          Anonymous

          you don't use c or rust, dumb nocoder

          • 2 months ago
            Anonymous

            yes me not using shit troony langs makes me a nocoder, instead of coding like a troon, I program like a white man, I hope that one day I can be promoted from programmer to software engineer even, the further I am away from coders, the better.

  6. 2 months ago
    Anonymous

    >rust
    not my problem
    >windows
    not my problem

  7. 2 months ago
    Anonymous

    I'm just gonna pass untrusted input straight into bash, what's the worst that can happen?

    OH MY GOD, HOW COULD RUST CAUSE THIS VULNERABILITY

    • 2 months ago
      Anonymous
      • 2 months ago
        Anonymous

        nowhere do they tell you to inspect the script before executing it, curious

        • 2 months ago
          Anonymous

          >curl
          You should probably check the source as well, given that this C program has had many large vulnerabilities

          • 2 months ago
            Anonymous

            I have, thankfully it has no Rust code in it so cannot be that bad

  8. 2 months ago
    Anonymous

    They don't call it open sores for nothing.

  9. 2 months ago
    Anonymous

    >Non-existent problem
    You can't safely spawn processes in windows with any user provided input or input you dynamically generate.

  10. 2 months ago
    Anonymous

    >all the morons jerking themselves off over non-issues because it affects a language they have irrational hatred of
    I can't fathom how mentally moronic someone has to be to do this.
    Reminder C doesn't even provide a standard method for actually spawning processes outside of system() and it's objectively worse. But you morons don't actually use C so it went right past you.

    • 2 months ago
      Anonymous

      >muh standarterinos
      rust trannies don't even have one

      • 2 months ago
        Anonymous

        I can use command from the *standard* library and have a safe process spawning and monitoring system on every os (exception with windows due to every process parsing its own arguments, but this cve fix makes it much better than nothing).

        What can you do, homosexual? I bet you don't even know what's safe to do in a fork()

        • 2 months ago
          Anonymous

          And yet it's better at this than C
          Go figure

          ok show me how to spawn a process on bare metal using only Rust's standard library and no external dependencies.

          • 2 months ago
            Anonymous

            https://doc.rust-lang.org/std/process/struct.Command.html
            Ok.
            >Bare metal
            Are you moronic?

          • 2 months ago
            Anonymous

            >I cannot do this standard feature unless there's a kernel written in C with a syscall that enables this
            enough troony cope for today.

          • 2 months ago
            Anonymous

            good thing that we (real programmers) can implement our own system anytime

            What do you think system() does?

          • 2 months ago
            Anonymous

            You're not gonna have system() on bare metal either

          • 2 months ago
            Anonymous

            good thing that we (real programmers) can implement our own system anytime

          • 2 months ago
            Anonymous

            There is no standard library or processes on bare metal you brainlet.

            You can just make a syscall if you are on Linux and don't want dependencies.

          • 2 months ago
            Anonymous

            [...]
            What do you think system() does?

            don't care rust troony, you yap about standards then backpedal once there's no C code supporting your god complex

            Ada has significantly worse guarantees than Rust.

            it not being rust is the only guarantee I need

          • 2 months ago
            Anonymous

            What?

          • 2 months ago
            Anonymous

            if you're honestly too moronic to comprehend what your shitty fork + exec wrapper does then I have nothing else to tell you, I can write such wrapper in any language including C

          • 2 months ago
            Anonymous

            But you need to write it and rewrite it for different platforms
            This shit is why we have standard libraries

          • 2 months ago
            Anonymous

            standard libraries are quite literally most moronic idea ever and the fact that rust troons never learned from this shows that there's no future for real software engineering

          • 2 months ago
            Anonymous

            TЯΛTHИΛKЗ
            rustoceans ANHIALLATED

          • 2 months ago
            Anonymous

            If you do not have standard libraries, you either
            a.) Have to rely on external dependencies
            or
            b.) Have to write the same program twice if you want to port it to a different platform.

            Neither of these are more desirable than having a standard library.

          • 2 months ago
            Anonymous

            different platforms work differently and trying to unify their differences under one interface as one big dependency that cannot ever be changed post v1 is fricking moronic, did you even try reading your stdlib crossplatform code you fricking monkey?

          • 2 months ago
            Anonymous

            ?

          • 2 months ago
            Anonymous

            https://github.com/rust-lang/rust/issues/55614#issuecomment-1896336260 here's your perfect cross platform abstraction bro

            I'd rather figure out how to use winsock api than deal with moronation like this in C++, than god C++ doesn't have any network related things in stdlib because it would be a disaster just like everything ever in every standard library.

          • 2 months ago
            Anonymous

            Just use https://doc.rust-lang.org/std/os/windows/io/trait.AsRawSocket.html and call the winsock API for this part. There's an easy escape hatch.

          • 2 months ago
            Anonymous

            except this requires dependency on winapi crate since it's impossible to just call winapi from rust without going through a humiliation ritual

          • 2 months ago
            Anonymous

            You can use the first-party windows crate
            https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/Networking/WinSock/fn.listen.html
            Using a Microsoft crate to do a Microsoft syscall doesn't seem like a big deal

          • 2 months ago
            Anonymous

            thanks, I will stick to native headers that were handwritten by cniles working on winapi

          • 2 months ago
            Anonymous

            Okay
            I will continue to use the nice high-level APIs when I can and only learn about win32 when forced to

            ok so why does the openssl wrapper exist?

            OpenSSL supports older insecure SSL versions/cipher suites/etc (see https://docs.rs/rustls/latest/rustls/manual/_04_features/index.html#non-features) so you might need it to connect to old insecure servers. It also helps keep everything on the same baseline as the rest of the system including configuration (some distros are fussy about this). And OpenSSL also exposes other functionality that isn't even directly about TLS, it has a very broad API.
            rustls is focused on being a solid TLS implementation without baggage. If it does what you need it's probably a better choice.
            t. has used both

          • 2 months ago
            Anonymous

            Why is this a problem anyhow? Anything higher than 128 is likely just going to be bufferbloat
            Make your shit faster. Simple as.

          • 2 months ago
            Anonymous

            how about anything lower than 128? moron.

          • 2 months ago
            Anonymous

            >don't care
            ? Do you use C?

          • 2 months ago
            Anonymous

            >use
            yes
            >write
            no

      • 2 months ago
        Anonymous

        And yet it's better at this than C
        Go figure

  11. 2 months ago
    Anonymous

    It's not "rust in windows" it's Rust on windows and not just rust but also several other languages. Some of them decided to not even fix this (Java).

  12. 2 months ago
    Anonymous

    >sunglasses tanning on the COBOL BEACH OF MEMORY SAFETY

  13. 2 months ago
    Anonymous

    picrel

  14. 2 months ago
    Anonymous

    I wonder if it is insecure for my program to use an item in my array. will this fail to throw out of bounds and result in undefine behavior? No, I did not use NOBOUND.

    whew.

  15. 2 months ago
    Anonymous

    I kek how the moron force has moved on from discussing the OP's mostly non-issue crap to raging about being too incompetent to handle the borrow checker.
    Do you morons ever do anything else other than cope and seethe? It's insane. This is somehow worse than the systemd haters and the X trannies.

    • 2 months ago
      Anonymous

      why are you an intellectually dishonest piece of shit? Everyone who works on rustc can back me up on the fact thst borrow checker is not perfect and prevents perfectly valid code from compiling due to its limitations.

      • 2 months ago
        Anonymous

        No one who has an IQ above 80 cares, moron kun. Those same people are capable of understanding what a model is, what a model can check and what is possible outside of the model (anything else).
        Go be a mathlet brainlet on some moron pen like

        [...]

        .
        Maybe you're a coder, but you sure as shit not a competent one.

        • 2 months ago
          Anonymous

          I already addressed the fact that I'm not a coder, but a programmer, by the way I could ride a bike without training wheels at 6 years old, I cannot imagine being a 46 year old man and still needing them to solve a less complex problem than balancing your body correctly.

          • 2 months ago
            Anonymous

            No, you're a coder and a shitty one at that. You don't even understand basic concepts.

          • 2 months ago
            Anonymous

            yes I only understand trivial concepts like self referencing data structures instead, so sad that your toy language does not, unless I switch from syntax more abstract than C++, to more inane than C triple pointer indirection math.

          • 2 months ago
            Anonymous

            >yes I only understand trivial concepts like self referencing data structures
            And yet you don't understand why a model like Rust's borrow checker can't guarantee the correctness of such things... Curious.
            You still sounds like a moronic homosexual to me. I'd tell you to go back to school, but you're too moronic to glean anything from that or your state school is trash.

          • 2 months ago
            Anonymous

            It can't because rust trannies are bad at programming and cannot make the borrow checker actually useful beyond fixing 68IQ pajeet mistakes that white people like me never make to begin with.

  16. 2 months ago
    Anonymous

    >Windows
    skill issue

    • 2 months ago
      Anonymous

      yes, but not necesaarily the rust guy.

      rust is bad because it suckabunder the hood.

      but a lot of smart straight-questioning guys are sucked into troony trends.

  17. 2 months ago
    Anonymous

    This was found because of yt-dlp
    https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p

    Cpython issue, they seem to only plan on doing doc changes
    https://github.com/python/cpython/issues/114539

  18. 2 months ago
    Anonymous

    >programmed by trannies and furries
    It will get fixed.

  19. 2 months ago
    Anonymous

    Javachads, seems like Rustroony code will go 41% as well lol

    • 2 months ago
      Anonymous

      Java is literally wonfix. It didn't do shit for this cve.

      • 2 months ago
        Anonymous

        and? Not our problem.

Your email address will not be published. Required fields are marked *