Security fix for Guile (or: don't trust localhost to be localhost only)

Christopher Allan Webber at 2016-10-11T14:44:02Z

I reported a security vulnerability for Guile. I'm happy to say that a fix is out and you can read about it. If you remember me linking to this article, that's pretty much what it is.

But here's the real lesson: you can't really assume that localhost is localhost-only for private data or "secure" locally privileged anything. This has become more clear to me while working on ActivityPub and looking into other server processes which might also post to anything remote. We recommend against accessing localhost URIs in ActivityPub, but note that the above attack against Guile could also possibly apply to a server: using DNS tricks to convince a server to attack itself on localhost. All sorts of server and client software which may themselves send requests are probably vulnerable to this.

So the lesson: don't use localhost for local-only things. Use unix domain sockets or named pipes! Network architectures are just too complex these days...

Charles Stanhope likes this.

Good catch! And nice that they patched it so quickly.


I think a nice Blog article by you explaining the larger ramifications of this would be a good thing (time permitting), as I can see how this new-ish vector might get a lot of attention from miscreants looking for exposed surfaces.

Freemor at 2016-10-11T16:25:37Z

Christopher Allan Webber likes this.