if you work with linux in production roles, you probably want to cancel any fun things you had planned for September 30th and make sure your snack cupboard is well-stocked
@rmi fucks. What's up? I'm sick and so is my team so please tell me in small words.
@Br3nda @aurynn Initial disclosure of a high-CVE RCE vulnerability.
@rmi @Br3nda @aurynn Is that the evilsocket one? if so it's possible it's CUPS related, so probably NOT that big a deal if you don't have it exposed/it isn't a print server.
@kyhwana @rmi @Br3nda @aurynn heh cups was one of my guesses, the other two being systemd and systemd… looked at that a bit yesterday or so
@mirabilos @kyhwana @Br3nda @aurynn we are extremely overdue for the seismic systemd event that will destroy the world
@rmi @mirabilos @kyhwana @aurynn
An amazon Linux version of this would be rather dramatic
@Br3nda @mirabilos @kyhwana @aurynn I’ve been looking for an excuse to end this life of crime and start a dog sanctuary
@rmi @mirabilos @kyhwana @Br3nda @aurynn
And here I thought an Alpine fault was going to take us out first.
(containerised or not)
@DrCuriosity @mirabilos @kyhwana @Br3nda @aurynn grownup standard library raises the bar a bit
Thread by @evilsocket on Thread Reader App

@evilsocket: * Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago. * Full disclosure happening in less than 2 weeks (as agreed with devs). * Still no CVE assigned (there should be at...…

@rmi do we know if that’s the first “30 September” (ie in Aotearoa) or the second “30 September” (ie in the USA)?

I’ve been assuming it would be the second one, ie 1 October here. (I’ve also been assuming it’s being overhyped, but might require prompt patching anyway.)

@ewenmcneill Pretty sure it’s 1 October in civilised countries, modulo the slight overlap.

@rmi turns out they *really* meant 2024-09-27.

It seems that hyping up that you have a secret for days doesn’t reduce the chances of people guessing the secret 🤯 (Especially when you confirm the guess by publicly linking to the commit!?!)

Anyway if you happen to have CUPS installed you might want to look out for vendor patches and install them at some point.

https://github.com/OpenPrinting/cups-browsed/issues/36
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/index.html

Review locking/multi-threading implementation · Issue #36 · OpenPrinting/cups-browsed

According to @evilsocket, cups-browsed can be held up for an extended period of time: The lock acquired here doesn't get unlocked until the IPP server has responded. A malicious IPP server can keep...

GitHub
@rmi Wouldn't it be fun if it affects Android phones?
@vik @rmi sure would be a hoot.
@lightweight @rmi For Apple device owners anyway.
@vik @rmi I have little doubt their time will come. Plus they have the constant ignominy of being ripped off for every aspect of their digital existence, and comprehensively locked in - esp. everything related to the AppStore.
@rmi I’ll get extra popcorn
@rmi …what is happening on sep 30?
@rmi If it is indeed CUPS, it seems it arrived early; there's RCE warnings all over my feeds this morning.