#spectrum on 2020-04-10

2019-08-29 20:55 qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/

01:22 <Shell> qyliss: whatever Django it's running on still has a known logout CSRF vuln :p

01:24 <Shell> (it is mostly just annoying cos all it can do is log someone out, but.)

01:33 <MichaelRaskin> Does it has a matching _login_ CSRF vulnerability?

01:35 <Shell> I don't believe so.

01:36 <MichaelRaskin> Argh. I can imagine a threat model where CSRF login vulnerability _does_ make a CSRF logout vulnerability worse.

01:45 jmcasey has quit [Quit: My MacBook Air has gone to sleep. ZZZzzz…]

03:35 jmcasey has joined #spectrum

03:36 jmcasey has quit [Client Quit]

03:46 jmcasey has joined #spectrum

04:21 <colemickens> can sommelier be used without a chromium kernel

05:51 jmcasey has quit [Quit: My MacBook Air has gone to sleep. ZZZzzz…]

06:21 jmcasey has joined #spectrum

06:22 jmcasey has quit [Client Quit]

06:42 cole-h has quit [Ping timeout: 264 seconds]

07:57 pie_[bnc] is now known as pie_

07:57 pie_ is now known as pie__

07:57 pie__ is now known as pi^e

07:57 pi^e is now known as pi^e_

07:57 pi^e_ is now known as pie_[bnc]

08:43 xantoz has quit [Ping timeout: 256 seconds]

08:56 xantoz has joined #spectrum

09:46 <qyliss> colemickens: not with an upstream kernel

09:46 <qyliss> But you could take just the virtio_wl kernel from the Chromium kernel

09:47 <qyliss> *kernel module

09:47 <qyliss> I plan to do that at some point, but it's not a high priority

09:48 <colemickens> Are you saying its already built as an external kernel module and I could write a derivation for it, or would that require some kernel knowledge to do an extraction?

09:48 <qyliss> (I have tested before that it works, though)

09:48 <colemickens> I'm a kernel noob.

09:48 <qyliss> It's an in-tree module

09:48 <qyliss> So extracting it would be tricky

09:49 <qyliss> But copying it to your own kernel tree wouldn't be

09:49 <qyliss> (Probably)

09:49 <qyliss> Probably extracting it wouldn't be too bad, actually, but you'd have to know what you were doing I think

09:50 <MichaelRaskin> AFAIR out-of-tree modules have just a few variables in the Makefile different

09:50 <colemickens> Okay, cool, thanks for explaining.

09:50 <qyliss> I think when I tested it I just did a git log on devices/virtio/virtio_wl.c and cherry-picked every commit onto upstream

09:53 <qyliss> Shell: got any more info about the logout CSRF?

10:03 <MichaelRaskin> qyliss: what more info could even exist? A third-party site could cause a POST to the Django site causing a logout

10:15 <qyliss> What version of Django doesn't have it

10:16 <qyliss> Is there a patch for it

10:16 <qyliss> etc

10:16 <qyliss> Because this is our default Nixpkgs Django and despite the limited potential for abuse, it would be good to not have it

11:45 ehmry has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

11:47 ehmry has joined #spectrum

13:02 ehmry has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

13:02 ehmry has joined #spectrum

13:32 <qyliss> pretty cool: https://chromium.googlesource.com/chromiumos/platform/crosvm/+/0bf8a5590f3556d8ec05c182cb612f254fd416e5

13:33 <qyliss> Goog also seems to be working on some io_uring stuff in crosvm

13:48 <MichaelRaskin> Autobalancing of the balooning in the context of a lot of VMs running in parallel sounds a bit scary

15:03 <puck> note that crosvm is designed to run one VM on the system, so this system isn't too weird

16:42 <Shell> qyliss: https://code.djangoproject.com/ticket/15619

16:42 <qyliss> Shell: thank you :)

16:44 <qyliss> "9 years ago"

16:44 <Shell> yup

16:44 <Shell> still an issue iirc

16:44 <Shell> I came across it independently

16:44 <qyliss> wowww

16:46 <Shell> also you can hit it even if you're not an admin, despite it being the admin app's logout endpoint, lol.

17:01 cole-h has joined #spectrum

18:03 jmcasey has joined #spectrum