I have checked the code, extensively. I did find an exploit where a carefully crafted yobj file could be instrumented to create a DOS attack or a nuisance attack and I'm looking into how to fix that issue.
However, I also did check the YEngine code, and compiled scripts are most certainly NOT stored as binaries in assets in the grid server or local asset store. The asset server only ever sees scrpt source, we do NOT create assets of type LSLBytecode or any other type containing compiled scripts. Compiled scripts are only ever stored on the local hard disk. They are also sent alongsode other region transfer info, but they never become assets. For the moment, grids that either allow region connections or HG are well advised to keep TrustBinaries off, I have to retract my previous statement about safety in YEngine after finding that exploit vector. For now, TrustBinaries=true is ONLY recommended for walled gardens allowing neither external regions nor hypergrid. However, compiled scrips are NOT stored as assets. In fact the very functions that deal wth them are absolutely unable to handle anything other than local files. - Melanie ---- On Fri, 15 Oct 2021 22:22:33 +0100 Leal Duarte <ajldua...@sapo.pt> wrote ---- Did TrustBinaries = false fixed the issue? As you did observe, TrustBinaries is not only a major security problem, it also forces the use of binary code wrongly stored on the asset at grid. so the only fix with TrustBinaries = true, is manual inworld recompile. 0008026: "Runtime Error in script... Could not load type 'list' from assembly..." Script fails to function - MantisBT (opensimulator.org) <http://opensimulator.org/mantis/view.php?id=8026> you can not set it true after a upgrade. A rez from inventory will trigger the issue again. Ubit On 14-Oct-21 14:54, Asaff Belfer wrote: > Hello, > > I don't mind setting TrustBinaries = false as our grid is a "walled > garden" so there will not be cases of untrusted binaries entering our > system. > > I still don't understand how could new compiled code generate this error. > > I'm starting to think that there is something in the old LSL code that > somehow gets fixed when the LSL code is saved again. > > Thanks, > Asaff > > > On Thu, Oct 14, 2021 at 1:50 PM Melanie <mailto:mela...@t-data.com> wrote: > > TrustBinaries is safe in regions using only YEngine. That is > because the compiled YEngine scripts are not actually binaries, > they are not DLLs. They are just a preparsed AST to save the > compiler some work, but that AST is used to generate the binary > code on the receiving side. > > > > With XEngine, TrustBinaries would let other regions send actual > DLLs, which would be dangerous. With YEngine, it's perfectly safe. > > > > - Melanie > > > > > > > ---- On Thu, 14 Oct 2021 11:37:15 +0100 Leal Duarte > <mailto:ajldua...@sapo.pt> wrote ---- > > > Make sure you have TrustBinaries = false in opensim.ini > > That should never be true except on a few use cases. > > Ubit > > > On 13-Oct-21 15:56, Asaff Belfer wrote: > > But this is just it. > > The simulators were not upgraded. They were re-installed in a > different > > folder so it's a completely new installation. > > > > Could it be that there is a C# or a compiled code stored inside > the assets > > server? > > > > Asaff > > > > > > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>> > > בלי > > וירוסים. www.avast.com <http://www.avast.com> > > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>> > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > > > On Wed, Oct 13, 2021 at 5:00 PM Leal Duarte > <mailto:mailto:ajldua...@sapo.pt> wrote: > > > >> Hi, > >> > >> Yes on a major upgrade you should delete folder > >> .../bin/ScriptEngines so all scripts are compiled and > initialized again. > >> > >> Ubit > >> > >> > >> On 13-Oct-21 11:23, Asaff Belfer wrote: > >>> Hello everyone, > >>> > >>> We've recently upgraded our grid to version 0.9.1.1. We found > out that > >> some > >>> scripts generate exceptions. These exceptions seem to go away when > >> editing > >>> the LSL script and saving again (it could be a minor change > like a space > >>> somewhere). > >>> > >>> Here is an example of the exception that we get: > >>> > >>> [03:21] System.Reflection.TargetInvocationException: Exception > has been > >>> thrown by the target of an invocation. ---> > >> System.MissingMethodException: > >>> Method not found: 'LSLString > >>> > >> > > OpenSim.Region.ScriptEngine.Shared.ScriptBase.ScriptBaseClass.llKey2Name(System.String)'. > >>> at SecondLife.XEngineScript.init() > >>> > >>> at SecondLife.XEngineScript.default_event_state_entry() > >>> > >>> --- End of inner exception stack trace --- > >>> > >>> > >>> > >>> Server stack trace: > >>> > >>> at System.RuntimeMethodHandle.InvokeMethod(Object target, > Object[] > >>> arguments, Signature sig, Boolean constructor) > >>> > >>> at > System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object > >> obj, > >>> Object[] parameters, Object[] arguments) > >>> > >>> at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, > >> BindingFlags > >>> invokeAttr, Binder binder, Object[] parameters, CultureInfo > culture) > >>> > >>> at System.Reflection.MethodBase.Invoke(Object obj, Object[] > >> parameters) > >>> at > >>> > >> > OpenSim.Region.ScriptEngine.Shared.ScriptBase.Executor.ExecuteEvent(String > >>> state, String FunctionName, Object[ > >>> > >>> > >>> Did anyone else have problems with scripts from previous > versions like > >> this? > >>> thanks, > >>> Asaff > >>> > >>> > >>> < > >> > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > >>> בלי > >>> וירוסים. www.avast.com <http://www.avast.com> > >>> < > >> > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> > >>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > >>> _______________________________________________ > >>> Opensim-users mailing list > >>> mailto:mailto:Opensim-users@opensimulator.org > >>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > >> _______________________________________________ > >> Opensim-users mailing list > >> mailto:mailto:Opensim-users@opensimulator.org > >> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > >> > > _______________________________________________ > > Opensim-users mailing list > > mailto:mailto:Opensim-users@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > _______________________________________________ > Opensim-users mailing list > mailto:mailto:Opensim-users@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > _______________________________________________ > Opensim-users mailing list > mailto:Opensim-users@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users > _______________________________________________ Opensim-users mailing list mailto:Opensim-users@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users _______________________________________________ Opensim-users mailing list Opensim-users@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
