SShortSingh.
Back to feed

Ollama Patches Third RCE Bug in Three Years, All Tied to Model File Parsing

0
·3 views

Ollama, a popular self-hosted LLM runtime, has disclosed a remote code execution vulnerability affecting all versions before 0.7.0, rooted in an out-of-bounds write flaw during MLLAMA model metadata parsing. The bug allows a crafted model file to declare a metadata array length that causes the runtime to write beyond an allocated buffer, a classic primitive for achieving code execution. This is the third RCE-class vulnerability Ollama has patched in three years, following a 2024 path-traversal flaw dubbed 'Probllama' and a ZipSlip bug in version 0.1.37, all occurring at the model-loading boundary. The most realistic attack vector involves uploading a malicious model to a public registry, where unsuspecting users running 'ollama pull' on a vulnerable build would be exposed. Users are advised to upgrade to Ollama 0.7.0 or later, which includes patched parsers that validate all length-bearing metadata fields against their allocated buffers.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Chrome Extension Replaces Website Ads with Artworks from Major Public Museums

A developer has released a Chrome extension called Ads Art that substitutes visible advertisements on websites with artworks sourced from two renowned public institutions. The extension draws images from the Art Institute of Chicago and The Metropolitan Museum of Art. It operates locally on the user's computer using a collection of JavaScript scripts. The project is open source, with its code publicly available on GitHub for anyone to explore or contribute to.

0
ProgrammingDEV Community ·

How json_shield Was Built to Be Understood by AI Code Assistants

A Dart package called json_shield has been engineered with AI coding assistants in mind, recognizing that tools like Copilot and Cursor now generate much of the code that consumes open-source packages. The package's author identifies four key artifacts — README, example directory, doc comments, and pubspec.yaml description — that IDE retrieval systems index and feed into AI prompts. Each artifact follows strict rules, such as removing vague adjectives, providing exact input/output examples, and explicitly stating what the package cannot do, to prevent AI models from hallucinating unsupported features. Inline documentation comments are written to specify exception types and failure modes, nudging AI assistants toward correct error-handling patterns rather than generic ones. The approach reflects a broader shift in package development, where authors must now optimize their code and documentation for both human developers and the AI agents assisting them.

0
ProgrammingDEV Community ·

Free API lets course providers issue tamper-proof certificates with one HTTP call

Novadyne has released Attestify, a free API that allows course providers and training programs to issue cryptographically signed completion certificates without requiring an account or API key. Each certificate is backed by a server-side record and an Ed25519 digital signature, making any alteration instantly detectable during verification. Recipients receive a permanent public verification URL that anyone — including employers — can open without creating an account or installing an app. The API integrates with automation tools like n8n and supports batch issuance for multiple recipients in a single request. Attestify positions itself as a lightweight alternative to full credentialing platforms, focusing solely on free, programmatic certificate issuance and public verification.

0
ProgrammingDEV Community ·

Tutorial: How to Build a Full CRUD API in Go Using Only the Standard Library

A developer tutorial published on DEV Community walks through building a complete CRUD API in Go without any third-party packages. The guide extends a previously built task API by adding PUT and DELETE HTTP method handlers alongside existing GET and POST functionality. Tasks are stored in memory using a Go slice, keeping the setup simple and database-free. The tutorial covers how the server matches incoming requests by HTTP method and updates or removes tasks based on a matching ID in the request body. By the end, readers are expected to understand how backend APIs manage resources through the four core CRUD operations.