from the river to i3, hyprland will get an audit

4 months ago

14

reading:

https://github.com/hyprwm/Hyprland/blob/main/src/plugins/HookSystem.cpp#L140-L223 Suspicious homebrew malloc system instead of properly handling plugins

https://github.com/hyprwm/Hyprland/blob/main/src/plugins/HookSystem.cpp#L225-L229 non-portable plugin system

https://github.com/hyprwm/Hyprland/blob/main/src/plugins/PluginAPI.cpp#L315-L321 shelling out to fucking nm to read symbols (incredibly cursed)

execAndGet is a bad programming practice to just use left right and center as can been seen by vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-42029 which was caused by exposing untrusted inputs (i.e. window titles) to execAndGet without sanitizing properly, showing why this kinda shit can be a concerning practice

But also more importantly
https://bugs.gentoo.org/930831#c6
Poor response and acknowledgement of security issues (granted he responded to the portal one well)

tl;dr Hyprland has trying to mark its stack memory executable for some reason

malloc does not check for nullptr but moriginal_bytes cannot be null

Loading comments...

Comments