LeoNeeson
commented
2 months ago I do understand and respect Rejetto's decision of being tired of updating HFS2, but people should know there is a known (unofficial) 'code fix' to this vulnerability (CVE-2024-23692), which can be seen in a fork maintained by the user @DRapid. So, anyone with the enough knowledge, could self-compile the binaries with the fix applied. You can see that particular 'commit' that led to the fix, here: drapid/HFS@b699f9a1675a9708fa2c14c62a02290bac499de4 and this is also being discussed here: drapid/HFS#3.
That being said, it seems a new vulnerability (CVE-2024-39943) has been found yesterday in HFS3, for versions up to 0.52.9 (before 0.52.10) on Linux/Unix/macOS, and it was classified as critical. More info, here: https://vuldb.com/?id.270364
Although HFS3 is showing to be very good indeed, IMHO I think his success -always- should depend on itself and not on the failure of HFS2 (or on forcing users to upgrade to HFS3). That being said, I hope that Rejetto at some point changes his mind and issues an 'emergency patch' for rejetto/hfs2 (both versions: HFS v2.3m & v2.4 RC07), because in the end, this vulnerability could end up damaging the good reputation/brand that "HFS" had for 20 years (and I think it goes beyond user's decision of whether or not to update to HFS3). And I'm not even talking about showing "empathy" for those who cannot upgrade to HFS3 (for whatever reason), because we are in a community where "technical" issues are discussed (and I am also no one to say this), but it seems his love for HFS2 has ended.
As always, Rejetto has the final decision about this.
rejetto
Hi! I believe that the latest versions of HFS are unaffected by CVE-2024-23692, but when it comes to verifying this, it's not actually entirely clear. There's a note on https://www.rejetto.com/hfs/ that states that the old v2 codebase is "very dangerous," but it doesn't specifically mention CVE-2024-23692, or that v3 is unaffected. It stands to reason that this is the case, but that took some some investigation. I don't see a release note or anything about it.
Would it be possible to be more obvious about it? The researcher's own writeup says that they agree with the assessment that v3 is in the clear, and the Metasploit module only mentions testing against v2, but these are secondary sources compared to the developers of the application.
I'm mainly just looking for some documentation to point at when people ask, especially now given the chatter around the bug.
If the note on the website was something like:
...I think that would put a lot of people at ease and make it easier for IT folks to justify updating.
(Note, I put this under feature requests, not security, since the bug is purportedly already fixed/avoided and already public.)