Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking

BrikoX@vlemmy.net to Technology@lemmy.world – 111 points –
Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking
arstechnica.com
7

You are viewing a single comment

Not a comment but a question- does this potentially affect Lemmy servers as well?

Directly probably not. Its more likely an implementation issue than a federation issue.

“Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location"

I doubt lemmy and mastodon share image parsing code

I’d not be so confident given just how quickly the rollout happened. Remember, we’re talking only a matter of weeks. (I’m a little more comfortable with things especially with the frequency of updates this far - I’ve installed 2 today)

Lemmy has been in development since 2019. And Lemmy uses pict-rs for images.

This bug was a result of the way that Mastodon handled file uploads. Because of the way that Mastodon attempted to figure out what kind of file that a user uploaded, it was possible to create a very specific type of multimedia file that would, when analyzed by the server, trick the server into executing its contents like code rather than an image or movie file. Unless Lemmy processes files the same way, Lemmy should be unaffected.

Nope, other than the use of the ActivityPub standard to communicate information, Mastodon and Lemmy are entirely separate pieces of software. Whether Lemmy, Kbin and similar also have vulnerabilities that would allow for a similar exploit are dependent on how they've been designed.