Advisories

USN-7061-1: Go vulnerabilities

Read Time:1 Minute, 31 Second

Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)

Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)

Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)

Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue to read or write files with
elevated privileges. (CVE-2023-29403)

Juho Nurminen discovered that Go incorrectly handled certain crafted
arguments. An attacker could possibly use this issue to execute arbitrary
code at build time. (CVE-2023-29405)

It was discovered that Go incorrectly validated the contents of host
headers. A remote attacker could possibly use this issue to inject
additional headers or entire requests. (CVE-2023-29406)

Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a
cross-site scripting attack. (CVE-2023-39318, CVE-2023-39319)

It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting in a denial of service.
(CVE-2023-39325)

It was discovered that the Go html/template module did not validate errors
returned from MarshalJSON methods. An attacker could possibly use this
issue to inject arbitrary code into the Go template. (CVE-2024-24785)

Read More

News

Deebot Robot Vacuums Are Using Photos and Audio to Train Their AI

Read Time:41 Second

An Australian news agency is reporting that robot vacuum cleaners from the Chinese company Deebot are surreptitiously taking photos and recording audio, and sending that data back to the vendor to train their AIs.

Ecovacs’s privacy policy—available elsewhere in the app—allows for blanket collection of user data for research purposes, including:

The 2D or 3D map of the user’s house generated by the device
Voice recordings from the device’s microphone
Photos or videos recorded by the device’s camera

It also states that voice recordings, videos and photos that are deleted via the app may continue to be held and used by Ecovacs.

No word on whether the recorded audio is being used to train the vacuum in some way, or whether it is being used to train a LLM.

Slashdot thread.

Read More

News, Advisories and much more

Exit mobile version