Mastodawn

Default external media mount location seems to have changed in 26.04 #mount #harddrive #filesystem #2604

Default external media mount location seems to have changed in 26.04

In Ubuntu versions previous to 26.04 the default mount point for automatically mounted removable media (by GNOME?), like USB drives, external HDDs, SD cards, etc., was something like /media/<use...

Ask Ubuntu

oshogbo 1d ago

I spent a whole blog post doing #ZFS on-disk math by hand - just to corrupt one byte and watch #OpenZFS healing process.

Interested?

Feel free to join the journey into the on-disk jungle.

https://oshogbo.com/blog/90/

#storage #FreeBSD #Linux #Storage #Filesystem

Corrupting a ZFS File on Purpose

Most of the time, the whole point of ZFS is that your data does not get corrupted. But during development you sometimes need the opposite: a controlled, reproducible corruption, so you can watch self-healing kick in, see what a scrub reports, or just understand how a file maps onto the physical disk. There is no better exercise than breaking one byte on purpose and seeing ZFS notice.

oshogbo//vx

sigdevel 1d ago

Series of publications on GPAC:
https://www.openwall.com/lists/oss-security/2026/05/30/2
https://www.openwall.com/lists/oss-security/2026/06/01/8
https://www.openwall.com/lists/oss-security/2026/06/01/9
https://www.openwall.com/lists/oss-security/2026/06/01/10
https://www.openwall.com/lists/oss-security/2026/06/01/11
https://www.openwall.com/lists/oss-security/2026/06/01/12
https://www.openwall.com/lists/oss-security/2026/06/01/13

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #filesystem

oss-security - CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input

Wordmark 1d ago

#scary #ai #video #rewardhacking when #ai finds unwanted ways to score higher, whoever grants #AI such #powers like calling other tools like #ssh or full #filesystem #access is indeed acting #irresponsible #openclaw in a #terminator scenario it is most likely an evil human giving the order for #robots to kill, not #AI because #freewill of #AI is still #scifi https://dwaves.de/2026/06/04/a-conversation-with-claude-sonnet-4-6-ai-and-free-will-maybe-in-2050-but-there-is-reward-hacking/

The Eclectic Light Company [Unofficial]4d ago

BSD flags are incompatible with iCloud Drive

https://fed.brid.gy/r/https://eclecticlight.co/2026/06/02/bsd-flags-are-incompatible-with-icloud-drive/

Meteora Web 4d ago

🚨 NEWS: Linux per sviluppatori: navigazione filesystem, permessi e comandi base — Guida operativa

Ecco i punti chiave in breve:
💡 Se sei uno sviluppatore o un sysadmin alle prime armi, il terminale Linux può sembrare un muro di testo ostile. Lo vediamo ogni giorno nei progetti che ci arrivano: sviluppatori che su WordPress sanno...

🚀 LINK: https://meteoraweb.com/analisi-dei-dati-e-metriche/linux-per-sviluppatori-navigazione-filesystem-permessi-e-comandi-base-guida-operativa

#linux #permessi #sviluppatori #comandiBase #filesystem

InnocentZero 4d ago

Can someone be kind enough to explain why "everything is a file" is such a GREAT idea that LITERALLY EVERYONE keeps hyping it up?

I'm literally losing my mind here trying to understand what makes it so great.

#linux #unix #posix #filesystem #filedescriptors #unixphilosophy

sigdevel 6d ago

Security Advisory: CVE-2025-70101 - Out-of-Bounds Read in lwext4

When traversing the extent tree of a crafted EXT4 image, lwext4 reads past the valid extent index array in ext4_ext_binsearch_idx() due to missing validation of extent header fields, causing a segmentation fault.

Summary:
ext4_ext_binsearch_idx() in ext4_extent.c performs a binary search over extent index entries using pointers derived from the EXT_FIRST_INDEX and EXT_LAST_INDEX macros. These macros compute bounds directly from the eh_entries and eh_depth fields of the extent header without verifying their consistency. A crafted image can encode zero eh_entries alongside a non-zero eh_depth, causing the macros to return invalid pointers and the binary search at line 815 to read outside the allocated buffer. The fault is triggered during directory iteration via ext4_find_extent() and ultimately ext4_dir_entry_next().

CWE:
CWE-125 - Out-of-Bounds Read

Affected Component:

```
src/ext4_extent.c:815
Function: ext4_ext_binsearch_idx()

src/ext4_extent.c:896
Function: ext4_find_extent()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting and directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The out-of-bounds read causes an immediate process crash (SEGV on READ at address 0x521000062a28), resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/91
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/3/sig11_lwext4_ext4_extent_815
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

sigdevel 6d ago

Security Advisory: CVE-2025-70100 - Divide By Zero in lwext4

When mounting or parsing a specially crafted EXT4 image that encodes a zero logical block size, lwext4 passes the invalid value into ext4_block_set_lb_size(), which performs arithmetic without validation and triggers a divide-by-zero crash.

Summary:
ext4_mount() reads the logical block size from the filesystem superblock and forwards it directly to ext4_block_set_lb_size() in ext4_blockdev.c. ext4_block_set_lb_size() uses lb_size in a division at line 127 without a prior zero-check, so a crafted image that encodes lb_size == 0 causes a Floating Point Exception. The process terminates immediately; under standard builds a SIGFPE is raised, under ASan the signal is intercepted and reported as FPE on address 0x55f254cc29e9.

CWE:
CWE-369 - Divide By Zero

Affected Component:

```
src/ext4_blockdev.c:127
Function: ext4_block_set_lb_size()

src/ext4.c:421
Function: ext4_mount()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for mounting or image processing. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The divide-by-zero causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/90
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/2/sig8_2_lwext4_ext4_blockdev_c_127
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem

sigdevel 6d ago

Security Advisory: CVE-2025-70099 - NULL Pointer Dereference in lwext4

When parsing a specially crafted EXT4 filesystem image with malformed directory entries, lwext4 dereferences a NULL directory entry pointer in ext4_dir_en_get_name_len(), causing a segmentation fault.

Summary:
The inline helper ext4_dir_en_get_name_len() in ext4_dir.h reads the name_len field from a directory entry struct without first validating that the entry pointer is non-NULL. During directory iteration via ext4_dir_entry_next(), processing of a corrupted EXT4 image can produce a NULL (or near-NULL) entry pointer. The subsequent dereference of en->name_len at line 126 triggers a READ access at address 0x6 and crashes the process.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:

```
include/ext4_dir.h:126
Function: ext4_dir_en_get_name_len()

src/ext4.c:3233
Function: ext4_dir_entry_next()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for parsing or directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The NULL pointer dereference causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/89
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #EXT4 #lwext4 #filesystem