The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code. This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments.
13 years. That’s how long it took to find a critical safety vulnerability in one of the most popular C open source codebases, Redis. This is software that was expertly written by some of the best engineers in the world and yet, mistakes can still happen! It’s just that in C a “mistake” can often mean a memory-safety bug that would put user data at risk (…) That’s the nature of memory-safety bugs in C: they can hide in plain sight.
And while you bring up a “boo-hoo, software written in C has bugs” common knowledge, to my best knowledge standard Rust library still has unsafe parts. But that’s no problem, because contracts, sure. Thanks for demonstrating how full of nonsense you are, bye
it’s weird how often these same strawman arguments are the response when Rust’s safety advantage over C comes up. Usually the same adolescent tone too.
The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code. This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments.
13 years. That’s how long it took to find a critical safety vulnerability in one of the most popular C open source codebases, Redis. This is software that was expertly written by some of the best engineers in the world and yet, mistakes can still happen! It’s just that in C a “mistake” can often mean a memory-safety bug that would put user data at risk (…) That’s the nature of memory-safety bugs in C: they can hide in plain sight.
Why did you make me read these paragraphs without explaining how they connect to the context? Let me guess: they don’t connect to the context, you’re just designing your replies to mislead people dumb enough to be vulnerable to your manipulation tactics? With no consideration for me whose time/energy you’re wasting, much less them who you’re confusing?
Make sure you know exactly what “compiler” and “backdoor” mean. With that, you can probably skip the rest of this comment.
aubeynarf seems to be framing things in a way that might make you think C is immune to compiler backdoors, and might also make you think we’re in agreement on that point. That’s based on absolutely nothing. C has no special resistance to compiler backdoors. I hear Rust introduces new risk here, but I don’t see any reason to reframe that as all the risk with C being in other areas.
aubeynarf seems to be framing things in a way that might make you think security exploits all have similar levels of severity. Like, if you make a list of 100 exploits, it will be about the same severity as any other list of 100 exploits. That is not true. Scoring would be based on what damage the exploits can do, not how many there are.
If aubeynarf’s framing makes it seem like known exploits are scored by sheer quantity, that would also imply security experts put a lot of focus on “scoring” known exploits at all. We don’t. We might put a lot of energy into counting and scoring unknown exploits if we could, but we can’t, so this is again not an honest mistake or a slight twist from reality - it’s completely made up from nothing. Not only would quantity be unrelated if we did have a big use for scoring known exploits, but we don’t. Known exploits are not unknown exploits. We’re trying to expose unknown exploits, and fix them. Counting and scoring the known ones is just something that happens along the way. We would never weigh the entire concept of compiler backdoors by counting the ones we’ve identified.
aubeynarf seems to be framing things to set an impression of “oh this guy knows what he’s talking about and he thinks compiler backdoors are no big deal, so they must be no big deal.” If you fall for that, there’s not much I or anyone can do for you.
I have no horse in this fight, so pardon my asking:
You self admittidly don’t know code, so like, why are you trying to argue about code?
That’s like a DJ and a Barber arguing over which carbueretor jet is correct in a classic Mercedes. The answer is muddier and than either of them know enough to understand, because they’re not mechanics or engineers.
Are you a programmer? Cybersecurity researcher? Bot designed to sow discontent with pretty arguement?
Like, what’s the point of all this? Neither of you know what you’re talking about, I don’t even know what you’re talking about but I can clearly read the vibes based technobabble between you, so like, why?
You self admittidly don’t know code, so like, why are you trying to argue about code?
Because the level of knowledge that would stop you from rephrasing my words into “don’t know code” is much higher than the level of knowledge I’m using in the argument.
That’s like a DJ and a Barber arguing over which carbueretor jet is correct in a classic Mercedes. The answer is muddier and than either of them know enough to understand, because they’re not mechanics or engineers.
How is that like an unpaid cybersecurity expert arguing about cybersecurity then?
Are you a programmer?
Already answered this and you acknowledged that in the beginning. It’s becoming clearer and clearer you’re replying in purely bad faith.
Cybersecurity researcher?
Kinda, but not really.
Bot designed to sow discontent with pretty arguement?
Obviously not, and now it seems like you’re trying to bait me into the kind of response that could get me banned here. This discussion would be more appropriate for nostr, where no one can be banned.
Like, what’s the point of all this?
The main point of your gish gallop is to waste my time and energy and confuse other people.
The main point on my side of the discussion has been to raise awareness of how concerned the general public should be (and sadly isn’t) about the general state of cybersecurity right now, especially in vital areas like how the Linux ecosystem and coding languages themselves are developing.
Neither of you know what you’re talking about
Incorrect. I have talked about, for example, a user’s statements in a discussion I linked to. I know this. You can’t really provide an example of anything I’ve mentioned here that I don’t know about.
You could use “don’t know what you’re talking about” as a euphemism for how the person I was replying to was spewing bullshit, but I’d just call them a liar. Seems more straightforward. Either way, that’s not me.
don’t even know what you’re talking about but I can clearly read the vibes based technobabble between you
I think in this context, you should be trying to ignore the vibes and understand what’s being said.
so like, why?
Awareness should be raised for this stuff, because people are sadly not as concerned as they should be about the state of cybersecurity right now. It’s particularly an issue in Linux / FOSS circles where there seems to be more of a false sense of security these days.
About random numbers? Not really
Are you referring to where I said “I want to know some random numbers Rust isn’t giving me, and that’s a problem with Rust?”
Because that was in your imagination.
Or are you referring to where I said “Rust wants to know some random numbers it isn’t giving itself?”
Because that was also in your imagination.
In reality, I brought up that I’ve heard Rust adds another layer of trusting the compiler isn’t backdoored.
While you’re spouting nonsense, this is happening:
https://www.infoq.com/news/2025/11/redis-vulnerability-redishell/
And while you bring up a “boo-hoo, software written in C has bugs” common knowledge, to my best knowledge standard Rust library still has unsafe parts. But that’s no problem, because contracts, sure. Thanks for demonstrating how full of nonsense you are, bye
it’s weird how often these same strawman arguments are the response when Rust’s safety advantage over C comes up. Usually the same adolescent tone too.
I’m the guy you were replying to here. I’m not spouting any nonsense in this thread. Did you reply to the wrong person, or is this a false accusation?
Why did you make me read these paragraphs without explaining how they connect to the context? Let me guess: they don’t connect to the context, you’re just designing your replies to mislead people dumb enough to be vulnerable to your manipulation tactics? With no consideration for me whose time/energy you’re wasting, much less them who you’re confusing?
Our team has reviewed this interaction, and cannot issue a refund at this time.
For anyone confused:
I have no horse in this fight, so pardon my asking:
You self admittidly don’t know code, so like, why are you trying to argue about code?
That’s like a DJ and a Barber arguing over which carbueretor jet is correct in a classic Mercedes. The answer is muddier and than either of them know enough to understand, because they’re not mechanics or engineers.
Are you a programmer? Cybersecurity researcher? Bot designed to sow discontent with pretty arguement?
Like, what’s the point of all this? Neither of you know what you’re talking about, I don’t even know what you’re talking about but I can clearly read the vibes based technobabble between you, so like, why?
lol dude, I know what I’m talking about. I’ve been a software engineer for 30 years.
Because the level of knowledge that would stop you from rephrasing my words into “don’t know code” is much higher than the level of knowledge I’m using in the argument.
How is that like an unpaid cybersecurity expert arguing about cybersecurity then?
Already answered this and you acknowledged that in the beginning. It’s becoming clearer and clearer you’re replying in purely bad faith.
Kinda, but not really.
Obviously not, and now it seems like you’re trying to bait me into the kind of response that could get me banned here. This discussion would be more appropriate for nostr, where no one can be banned.
The main point of your gish gallop is to waste my time and energy and confuse other people.
The main point on my side of the discussion has been to raise awareness of how concerned the general public should be (and sadly isn’t) about the general state of cybersecurity right now, especially in vital areas like how the Linux ecosystem and coding languages themselves are developing.
Incorrect. I have talked about, for example, a user’s statements in a discussion I linked to. I know this. You can’t really provide an example of anything I’ve mentioned here that I don’t know about.
You could use “don’t know what you’re talking about” as a euphemism for how the person I was replying to was spewing bullshit, but I’d just call them a liar. Seems more straightforward. Either way, that’s not me.
I think in this context, you should be trying to ignore the vibes and understand what’s being said.
Awareness should be raised for this stuff, because people are sadly not as concerned as they should be about the state of cybersecurity right now. It’s particularly an issue in Linux / FOSS circles where there seems to be more of a false sense of security these days.
This is what a tryhard looks like, lol! You’re really twisting yourself around to “win” aren’t you?
What do you mean?