Matt  Feb 7, 2024
3657 Updates for openSUSE today. Wooboy.
Show threadFuchsiii~~~Feb 7, 2024
@thelinuxcast that means something was up with glibc again...
Show threadMatt  
@fuchsiii yup. There was a zeroday
Feb 7, 2024 at 5:40pmWeb
Show threadOS/1337Feb 7, 2024

@thelinuxcast @fuchsiii yes, a #0day affecting all versions since 1993.

Because #GlibC is a mess that constantly bricks stuff for no good reason - just like the #GNUtils

There's a reason why OS/1337 uses @musl and @landley 's #toybox.

Because #KISS principle rules!

#OS1337 #Linux

Show threadCassandrichFeb 7, 2024
@OS1337 @thelinuxcast @fuchsiii @musl @landley The "since 1993" claim looks very wrong. AIUI the vuln was introduced in a fix for another less severe vuln, and is quite new, no?
Show threadFuchsiii~~~Feb 7, 2024
@dalias @OS1337 @thelinuxcast @musl @landley yes 1993 is wrong it’s 1992
Show threadOS/1337Feb 7, 2024

@fuchsiii @dalias @thelinuxcast @musl @landley so even worse...

Because the first reads I've seen were 1993 but that's still horrible...

Show threadCassandrichFeb 7, 2024
@fuchsiii The article is just wrong. The 3 CVEs mentioned only affect 2.36+. They're probably talking about the supposed qsort issue, which is *not a glibc vuln* and not even a bug, just a lack of hardening against applications which invoke undefined behavior, but the article is so poorly written (possibly even a mix of AI drivel) it's hard to tell what they mean.
Show threadmirabilos🐈‍⬛Feb 7, 2024

@dalias @fuchsiii good call

(also, who writes GlibC?!?!?!)

Show threadmirabilos🐈‍⬛Feb 7, 2024
@dalias @fuchsiii the author’s bio is at about ⅓ chance of being AI crap, so not likely, but… the article…
Show threadCassandrichFeb 7, 2024
@mirabilos @fuchsiii I'm guessing real author who just copy&pasted from 🐈💨 output.
Show threadRob LandleyFeb 8, 2024

@OS1337 @thelinuxcast @fuchsiii @musl I'm not really thrilled with glibc's idea of "fixing" stuff either:

https://github.com/landley/toybox/pull/479

hwclock: fix the calls to settimeofday of glibc by ryanzmi · Pull Request #479 · landley/toybox

After glibc 2.31, the settimeofday function no longer accept setting the time and the offset together. If both of its two arguments are not null, the call will fail and return EINVAL. Therefore hwc...

GitHub
Show threadOS/1337Feb 8, 2024

@landley @thelinuxcast @fuchsiii @musl personally, I think #GlibC and anything #GNU / #FSF related (except maybe #GCC) is kinda unsalvageable at this point, and I'd rather use #enc and pipe some of it's functions as aliases into my #bash config than to waste my time manually fiddling with #GnuPG because I have more important things to do in my life than to accept bad Software and/or UX in my workflows, which is why I want a medical note certifying that I'm allergic to Windows so i've to never even see that shit in my life...

Sorry for the rant, but yeah, glibc and #GPG are a mess and I know some folks would prefer to be sentenced to lifetime forced labour on #Hurd instead...

https://github.com/life4/enc/?tab=readme-ov-file#encrypt
https://github.com/kkarhan/misc-scripts/blob/c9904b4249850f170ca5c2718374f7c6c2aa0e18/bash/.bash_aliases#L50

GitHub - life4/enc: 🔑🔒 A modern and friendly CLI alternative to GnuPG: generate and download keys, encrypt, decrypt, and sign text and files, and more.

🔑🔒 A modern and friendly CLI alternative to GnuPG: generate and download keys, encrypt, decrypt, and sign text and files, and more. - life4/enc

GitHub