Ars TechnicaOct 11, 2023

One-click remote code exploit in CD cue files affects most GNOME-based Linux distros

Yet another tiny, crucial piece of volunteer software begets a big problem.

https://arstechnica.com/information-technology/2023/10/one-click-remote-code-exploit-in-cd-cue-files-affects-most-gnome-based-linux-distros/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

CD-indexing cue files are the core of a serious Linux remote code exploit

Yet another tiny, crucial piece of volunteer software begets a big problem.

Ars Technica
Show threadTheneilcave
@arstechnica I really dislike the implication that if this were closed source/developed by a company for profit it would be less susceptible
Oct 11, 2023 at 10:13pmIceCubesApp
Show threadJoePOct 12, 2023

@Theneilcace @arstechnica
Re the "vast amounts of technological infrastructure underpinned by tiny, unpaid projects", I don't see any mention of closed source being better - which is good, because closed source is logically less secure. I think the point is that larger, well-funded projects - and it's quite possible for them to be free and open source - are less risky.

(ctd...)

Show threadJoePOct 12, 2023

@Theneilcace @arstechnica

...
The article doesn't make it clear, but I think this is true to the extent that there is a larger pool of people to fix, test, build, integrate and ship the package. Not that such code is magically safer to start to start with, because bugs exist everywhere.

Show threadTheneilcaveOct 12, 2023
@JoeP @arstechnica it was the phrasing “yet again” and “volunteer software”. I’m not saying it’s not technically true, but i think the wording has a connotation that is not presenting the position in the most fair way.
I’m not an open source fanatic. The phrasing just really tweaked me.
Show threadJoePOct 13, 2023
@Theneilcace @arstechnica True, "volunteer" is not really representative of most such developers.