Faraday
Published in

Faraday

Securing open source software

At Faraday, we are part of the open-source community. Our product relies on various open-source projects, and it is released under the GNU General Public License. Fortunately, these practices are becoming more common and, with them, open-source software is increasing its presence in data centers, consumer devices, and applications.

But this can have its drawbacks, too, as this xkcd comic illustrates. In particular, some of the software we use daily does not have security in mind. In many cases, these tools started as small side projects or weekend experiments, and their creators did not foresee the popularity they might achieve in the future. Regardless of why this happens, and after reflecting on this, our research team started a new quest to find and report vulnerabilities in the open-source projects we use every day.

These are the vulnerabilities we’ve disclosed during 2021

  • CVE-2021–4021: Uncontrolled resource consumption via specially crafted ELF64 binary for MIPS architecture in radare2.
  • CVE-2021–4022: Segfault when analyzing an ELF64 for HPPA architecture in rizin.
  • CVE-2021–43814: Heap-based OOB write when parsing dwarf DIE info in Rizin.
  • CVE-2021–4166: Out-of-bounds Read while loading session in vim.
  • CVE-2021–4192: Use After Free while loading session in vim.
  • CVE-2021–4193: Out-of-bounds Read while loading session in vim.

--

--

--

Faraday Platform helps you perform security engineering by maximizing your team’s resources, increasing risk visibility by converting all your data into valuable information https://www.faradaysec.com/

Recommended from Medium

Adding an executable target to a Rust library

Learn Patiently, Execute Impatiently

Dev Diary #4 — Styling and Testing are Underway

Newsletter of Carlos Santana — Issue #14

assemble

Points To Consider While Building An Enterprise Application

Points To Consider While Building An Enterprise Application

Everything About Clone script solution and Why it is important

People and Process, not Data and Technology

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Octavio Gianatiempo

Octavio Gianatiempo

More from Medium

Why Do You Need a Hybrid Event Platform in 2022?

Freytag’s Analysis, Richard Gere, and The Great Indian Arranged Marriages

Pearl Harbor at 80: Hurshel E. Ward Jr.’s Typed Pearl Harbor Account

If I am your diversity hire, it will not go well.

Female Theatre Artist