Skip to content
This repository has been archived by the owner on Oct 24, 2021. It is now read-only.

nuTensor: Security vulnerability #23

Open
potassiumchloride opened this issue Jul 15, 2021 · 5 comments
Open

nuTensor: Security vulnerability #23

potassiumchloride opened this issue Jul 15, 2021 · 5 comments

Comments

@potassiumchloride
Copy link

potassiumchloride commented Jul 15, 2021

Hi,

recently a security vulnerability was disclosed for uBlock Origin (uBO) which also affects uMatrix (uM). It is already fixed in uBO and the uM fork for Palemoon called ηMatrix.

Given the fact that the original uM is unmaintained and @gorhill hasn't published at least a security fix only for uM at the same time as for uBO, I wonder if nuTensor might provide a security fix. Update (2021-07-19): uM also received an official emergency fix by @gorhill.

Relevant info: uBlock Origin (and uMatrix) DoS with strict-blocking filter and crafted URL

@nicolaasjan
Copy link

nicolaasjan commented Jul 16, 2021

It is already fixed in uBO and the uM fork for Palemoon called ηMatrix.

@DrFlibble
Take a look at ηMatrix's fix in main-blocked.js.
[Edit]
Pull request ed44470 is better. :)

@nicolaasjan
Copy link

@gorhill released a new version of uMatrix with a fix for the security vulnerability:
https://github.com/gorhill/uMatrix/releases/tag/1.4.2

@potassiumchloride
Copy link
Author

Amazing news! @gorhill, many, many, many thanks for changing your mind and releasing a new fixed version of uM! Thanks for taking care of us regular users!

@potassiumchloride potassiumchloride changed the title nuTensor/uMatrix: Security vulnerability nuTensor: Security vulnerability Jul 19, 2021
@jtagcat
Copy link

jtagcat commented Jul 20, 2021

@potassiumchloride this issue may be closed, as it's been fixed upstream


@DrFlibble please comment on your absence. At least, upstream should be tracked, (if possible, it is).

There have been small, minor improvements, though as it stands now, upstream is better-standing.


for changing your mind

As the repo remains archived, and as far as my common sense goes, low-quality reports, issues, are still hell. More likely, it's affection. Abandoning a thing¹ you have worked on for weeks is hard, and comes with guaranteed guilt.

¹ commonly said as 'abandoning your child', yet I refuse to compare a few-year project to lifetime children.

I'll try to refrain from further speculating, possibly imposing my speak as @gorhill's.

@khimaros
Copy link

this is the upstream fix: gorhill@30c12da

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants