robbat2

{
  "Id": "SourceIP",
  "Statement": [
    {
      "Action": "s3:*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "172.16.0.0/12",

robbat2

#!/bin/bash
# You might need to insert this in a slightly different place
cat >>/etc/ssh/ssh_config <<EOF
Host *
  RevokedHostKeys /etc/ssh/ssh_revoked_hosts
EOF

cat >>/etc/ssh/ssh_revoked_hosts <<EOF
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

robbat2

>>> Creating Manifest for /code/gentoo/gentoo-git/repo/gentoo/app-crypt/age
 * age-1.0.0.tar.gz BLAKE2B SHA512 size ;-) ...                          [ ok ]
 * age-1.0.0-deps-tampered.tar.xz BLAKE2B SHA512 size ;-) ...            [ ok ]
>>> Unpacking source...
>>> Unpacking age-1.0.0.tar.gz to /var/tmp/portage-tmpfs/portage/app-crypt/age-1.0.0-r1/work
>>> Unpacking age-1.0.0-deps-tampered.tar.xz to /var/tmp/portage-tmpfs/portage/app-crypt/age-1.0.0-r1/work
go mod verify
all modules verified
>>> Source unpacked in /var/tmp/portage-tmpfs/portage/app-crypt/age-1.0.0-r1/work
>>> Preparing source in /var/tmp/portage-tmpfs/portage/app-crypt/age-1.0.0-r1/work/age-1.0.0 ...

robbat2

Gentoo Golang deps bundled injection PoC
----------------------------------------
Author: Robin H. Johnson <robbat2@gentoo.org>
Date: 2022/10/21

Go build does not catch the injection of malicious code that might have been
included in a deps tarball.

$WORKDIR/age-1.0.0/go.sum (which is more-trusted, since it came from the age
upstream), contains this entry:

robbat2

upgraded packages that could have broken it

x11-libs/pango  ->1.50.4 ->1.50.6
x11-libs/motif  ->2.3.8-r2 ->2.3.8-r3
x11-libs/libva  ->2.13.0-r2 ->2.14.0
x11-libs/mx  ->1.4.7-r2
x11-base/xwayland  ->22.1.0 ->22.1.1
x11-libs/vte  ->0.66.2 ->0.68.0
dev-qt/qtx11extras  ->5.15.2-r1 ->5.15.3
x11-libs/libX11  ->1.7.3 ->1.7.4

robbat2

#!/usr/bin/perl -w
# The -w is required to trigger the segfault
# Copyright 2021/11/17 Robin H. Johnson <robbat2@gentoo.org>
# Public domain
my $v = undef;
my $c = undef;
my %x;
$x{$v} = '';
$x{$v} .= '  '.$c; # crash

robbat2

#!/bin/bash
# This is a helper hack for updating the certs on the new OpenGear "Operations Manager"
# systems like OM2216.
#
# The script should be in the same directory as the key, cert & intermediate CA.
# Copyright 2020 Gentoo Authors, robbat2@gentoo.org
cd "$(dirname "$0")"
HOSTNAME=$1
DEST="root@${HOSTNAME}"
SOCK=$(mktemp -p . ssh.XXXXXXXXX.sock )

robbat2

1. strptime isn't using the timezone specifier from "%z" to correct convert non-UTC back to UTC
2. conversion when local tz is UTC or PST to the same value suggests there might be a second bug, depending on implementation.

robbat2

https://github.com/ganeti/ganeti/blob/master/src/Ganeti/THH/Types.hs#L118

-- | Generic 'curry' that constructs a curring function of a given arity.
curryN :: Int -> Q Exp
curryN 0 = [| ($ ()) |]
curryN 1 = [| (. OneTuple) |]
curryN n = do
  f <- newName "f"
  ps <- replicateM n (newName "x")
  return $ LamE (VarP f : map VarP ps)

robbat2

From 9f8846066dd18b19dc08d7d605be899fd7e79782 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Mon, 5 Jul 2021 14:34:14 -0700
Subject: [PATCH] gen_moddeps: better module detection

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 gen_moddeps.sh | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)