For clarity: The post is about a server running a 3rd party docker image of qbittorrent.
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
You're absolutely right, based on the tenor of the previous message exchange, it is likely that brap is indeed sarcastically responding to gryfft. Do you want me to explain the mechanics of this interaction?
Turing completeness is irrelevant, as it only addresses computation. Security has to do with system access, not computational capacity. Brainfuck is Turing complete, but lacks any primitives to do more than read from a single input stream and write to a single output stream. Unless someone hooks those streams up to critical files, you can't use it to attack a system.
Language design actually has a lot of impact on security, because it defines what primitives you have available for interacting with the system. Do you have an arbitrary syscall primitive? Then the language is not going to help you write secure software. Is your only ability to interact with the system via capability objects that must be provided externally to authorize your access? Then you're probably using a language that put a lot of thought into security and will help out quite a lot.
A number of operating system security features, such as ASLR, exist because low level languages allow reading and writing memory that they didn't create.
Conversely, barring a bug in the runtime or compiler, higher level languages don't enable those kinds of shenanigans.
See for example the heart bleed bug, where openssl would read memory it didn't own when given a properly malformed request.
reply