zizmor would have caught the Ultralytics workflow vulnerability

from blog ENOSUCHBLOG, | ↗ original
↗ original
TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.
This is a short summary. ↗ Open original to view full content

Related

Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty
Blog | Sam Curry | original ↗
Impact of remote-code execution vulnerability in LangChain
ntietz.com blog | original ↗
"No way to prevent this" say users of only language where this regularly happens
Xe Iaso's blog | original ↗
A couple ideas that went nowhere
Push the Red Button | original ↗
As If Perplexity Didn’t Suck Enough They’re Also Hotlinking Images
Robb Knight • Posts • RSS Feed | original ↗
My journey to disclosing a vulnerability that can lock up millions in Ethereum
GEEK.SG | original ↗
Followup to "A Very Subtle Bug"
Posts on Made of Bugs | original ↗
CVE-2007-4573: The Anatomy of a Kernel Exploit
Posts on Made of Bugs | original ↗
"No way to prevent this" say users of only language where this regularly happens
Xe Iaso's blog | original ↗
The most secure chip in the world just got hacked.
zach's tech blog | original ↗

More from ENOSUCHBLOG

Security means securing people where they are
18 Nov 2024 | original ↗

Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of the above, except where explicitly stated.

Introducing zizmor: now you can have beautiful clean workflows
27 Oct 2024 | original ↗

This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please. Support for custom actions (e.g. action.yml within actions/checkout or similar) is planned, but not implemented yet. ↩

YAML feature extraction with yamlpath
10 Sept 2024 | original ↗

Another Rust crate announcement: this time I’m announcing yamlpath, a small library for format-preserving YAML feature extraction.

Tracking and publishing my TILs
18 Aug 2024 | original ↗

Mini-post.

Approximating sum types in Python with Pydantic
12 Aug 2024 | original ↗

TL;DR: You can use Pydantic’s support for tagged unions to approximate sum types in Python; go right to Sum types in Python (and onwards) to see how it’s done.