(www.bleepingcomputer.com)

174 points andy99 | 1 comments | 06 Apr 25 17:21 UTC | HN request time: 0.001s | source

Show context

3eb7988a1663 ◴[06 Apr 25 18:06 UTC] No.43603491[source]▶

Maybe the headline should note that this a parser vulnerability, not the format itself. I suppose that is obvious, but my first knee-jerk thought was, "Am I going to have to re-encode XXX piles of data?"

replies(2): >>43603869 #>>43604836 #

brokensegue ◴[06 Apr 25 18:46 UTC] No.43603869[source]▶

>>43603491 #

What would it mean for the vulnerability to be in the format and not the parser?

replies(3): >>43603925 #>>43603966 #>>43606334 #

1. jonstewart ◴[07 Apr 25 00:46 UTC] No.43606334[source]▶

>>43603869 #

That data had to be encoded in a certain way which would lead to unavoidable exploitation in every conforming implementation. For example, PDF permits embedded JavaScript and… that has not gone well.

↑

Max severity RCE flaw discovered in widely used Apache Parquet