(8)bloat Vulnerability Pre-Disclosure September 16, 2023 on webb's site

Update (2023-09-16 10:10 EST): Some people who aren't fully aware of the projects are posting some perhaps incorrect commentary on the situation. First of all, this is being done in full co-operation with the author of BloatFE. I am the author of 8bloat. An affected user of Bloat who was brought into the loop agreed that the timeline was a good one. This pre-disclosure is intended to give people time to prepare for the patches. BloatFE/8bloat are unusual in that they are services that adapt the API to HTML to be used without Javascript. This requires running a service on a server. Admins are required to upgrade Bloat for their users. This isn't just a case where you update from Google Play or something.

It will take time for admins to prepare for the patch or even be awake to know about it. It would be incredibly irresponsible to just release the patch and expect every admin to immediately know about the issue and upgrade on-demand like that. The timeline that was made is deliberate and intentional.

I also want to clarify that the patch will be released at approximately 3AM EST on September 18th, since time zones and stuff can be funky.

I discovered a high-severity vulnerability within BloatFE, which extends to 8bloat. I am going to release a patch in 48 hours from this post that fixes the issues. Additionally @r@freesoftwareextremist.com will push a fix to the upstream repository.

There is no known version that is unaffected. There is no evidence this issue has been exploited in the wild.

In the meantime, to stay safe:

Admins: Completely shut off your instances of (8)bloat and wait for the patch to be released in the coming days. Do not run the server until this fix has been applied.

Users: Stop using the client and wait for more information in the coming days. Do not use the client until this fix has been applied.

(These are fairly generic instructions, I'm avoiding disclosing the nature of the issue at this time.)

There will be a few options once the patch is released:

  1. If you're running Upstream Bloat, there will be a commit merged on the git repository to fix the issue. If you're running from git, you can run git pull. Similarly for 8bloat, we will push a fix you can pull. I will release this as pseudoversion v0.0.1.

  2. If you're unable to pull down the commit, you can manually apply it using an unofficial patch that I will attach to the post. I will also attach a similar patch for 8bloat.

  3. If you're unable to do either of the above, I will provide instructions for admins to mitigate the issue in BloatFE/8bloat.

In addition, I found a niche, low-severity issue that is unlikely to affect people and requires a very specific configuration.

Please spread the word, and let anyone who runs this client know about the issue.