-
m-relay<rbrunner7:monero.social> Maybe I am dumb. HackerOne says "This report has been disclosed." but I don't see any details, can't seem to read anything from the conversation, hardly know anything more now than what this was about, on a conceptual level. Is this already "disclosure"? Is there a second level of "disclosure" with more details?
-
sech1monero-project/monero #9765 was the PR that fixed that vulnerability
-
sech1TLDR it was possible to make monerod allocate too much RAM while serving many RPC requests in parallel
-
selstarbrunner7: it's a limited disclosure, the issue submitter requested it this way
-
m-relay<ofrnxmr:xmr.mx> sech1 thats a different one
-
m-relay<syntheticbird:monero.social> At my understand of it, no, there is no second level of disclosure provided by H1.
-
m-relay<syntheticbird:monero.social> also yeah ofrnxmr is right. sech1 this is a different vulnerability
-
m-relay<syntheticbird:monero.social> i hope whoever find this one in particular will disclose it in details
-
m-relay<ack-j:matrix.org> These DOS issues are why I think it is so important to develop RPC fuzzing harnesses for monerod. I’m soliciting quotes from different firms currently for MAGIC. If anyone knows someone willing and able to write c++ fuzzing harnesses compatible with afl++ please reach out.
-
m-relay<sagewilder:unredacted.org> From my analysis, the network code, especially the epee section, would better benefit from an extended peer review, and some sections should be rewritten entirely.
-
m-relay<sagewilder:unredacted.org> Fuzzing can be considered next.
-
m-relay<boog900:monero.social> the list of things that could do with a refactor is quite large ... :p
-
m-relay<spirobel:kernal.eu> maybe even get rid of epee entirely?
-
m-relay<sagewilder:unredacted.org> I noticed that the recent release revealed that you made two disclosure, was Cuprate a catalyst of your findings ?
-
m-relay<boog900:monero.social> one of them yes, the other no but I used Cuprate crates to make PoC for both.
-
selstawe do have some fuzz tests: github.com/monero-project/monero/tree/master/tests/fuzz
-
m-relay<syntheticbird:monero.social> we can't sir
-
m-relay<syntheticbird:monero.social> be more precise
-
m-relay<spirobel:kernal.eu> lordoftheepee.png
-
m-relay<syntheticbird:monero.social> LMAO