Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking - eviltoast
    • jjagaimo@lemmy.ca
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      Directly probably not. Its more likely an implementation issue than a federation issue.

      “Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location"

      I doubt lemmy and mastodon share image parsing code

      • npmstart_pray@lemmy.fmhy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        4
        ·
        1 year ago

        I’d not be so confident given just how quickly the rollout happened. Remember, we’re talking only a matter of weeks. (I’m a little more comfortable with things especially with the frequency of updates this far - I’ve installed 2 today)

    • wagesj45@kbin.social
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      This bug was a result of the way that Mastodon handled file uploads. Because of the way that Mastodon attempted to figure out what kind of file that a user uploaded, it was possible to create a very specific type of multimedia file that would, when analyzed by the server, trick the server into executing its contents like code rather than an image or movie file. Unless Lemmy processes files the same way, Lemmy should be unaffected.

    • rehendix@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Nope, other than the use of the ActivityPub standard to communicate information, Mastodon and Lemmy are entirely separate pieces of software. Whether Lemmy, Kbin and similar also have vulnerabilities that would allow for a similar exploit are dependent on how they’ve been designed.