Hacker News new | ask | show | jobs
by bravetraveler 639 days ago
One doesn't have to expose it to malicious actors. It is most-useful that way, sure. Mine is at 10.27.0.68. Have fun, hackers!

Also, I lol at most CVEs. Butterfly farted outside, oh uh.

Take the top one: In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.

You mean to tell me a few minor point releases imitated umask, making world-readable [and possibly added writable]? Oh no! The tragedy! Keep in mind most clients are single user systems anyway.

Judge them on their facts, there are vulns and then there are vulns. CVEs are a sign of attention on a project. No more or less.
2 comments
uselpa 639 days ago
I find that one concerning in an enterprise setup (which they target). Or the fact that the desktop client has 999 open issues. Or that the last version silently takes you off the stable channel. I could go on … Nextcloud desktop has severe quality control issues.
link
littlestymaar 638 days ago
An number of github issues is even a worse metric than CVEs, many people just post wishlist issues there.
link
bravetraveler 639 days ago
An enterprise setup where people share machines, sure. There are plenty of reasons to be afraid [and mitigations], no need to find them.

Either take control or sell/outsource it, no skin off my teeth. I was replying to someone making the case for 'just trust Google/whoever, lol'

My point is this nears hysterical fearmongering. I'd prefer if you don't go on, but it's more for your benefit.

Stopping before I start my own rant about risk tolerance

link
laymansterms 639 days ago
Yeah, one CVE is literally "You can use the MacOS variant of LD_PRELOAD on the client to hook libc calls! Oh no!!" This is a bogus CVE; any application can perform arbitrary actions when its system calls are hooked, but it requires such a strong threat model that the adversary realistically gains no ground by doing so.

("A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment")

link
saagarjha 638 days ago
You will note that the PR strengthens that model regardless.
link
nepthar 637 days ago
Yeah, it's strange to me that's a CVE. That seems like "working as intended" if I, the owner of the machine, want to load other libraries, why shouldn't it respect that?
link