Quoting: LoudTechie

Quoting: Caldathras

Quoting: LoudTechieTor-browser and if I remember correctly firefox have their own download folder sandboxing.

Regarding Firefox, not to my knowledge. On my systems, Firefox defaults to my Download folder. No sandboxing that I'm aware of -- unless this is a feature I have to enable.

Yeah it should default to your download folder, but can you look beyond it. Can you work in your document folder.
Tor-browser maintains its own seperate folder, but I thought firefox limited itself to only the download folder.
Based on what you said I would assume the answer is no, but I still wanted to clarify what I meant.

Problem here though is that sandboxing will not protect against this. Sandboxing protects against malicious userspace or userspace code with open exploits in them IF and only IF there also are no privilege escalation vulnerability in the running kernel.

View this comment - View article - View full comments

Quoting: anokasionAny Debian based Linux affected (I use MX-Linux with Liquorix kernel, it's not bleeding edge like Arch, but it's close):
$ sudo lsmod | grep esp4
okasion@tictac:~
$ sudo lsmod | grep esp6
okasion@tictac:~
$ sudo lsmod | grep rxrpc
okasion@tictac:~
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
3

$ sudo update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-6.18.16-2-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.18.15-3-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.14.2-1-liquorix-amd64

that's it, you're safe and the machine won't "forget" the changes when you reboot. It's practically the same Liam wrote with the generation of the kernels with the "fix".

There's also a namespace vulnerability, but I don't recommend applying the fix for now, it mostly affects servers, and can break some browsers and/or Docker/Kubernetes, etc:
sysctl kernel.unprivileged_userns_clone=0
THIS vulnerability it's the one a little bothering to me, I have it (as probably many of you) sysctl kernel.unprivileged_userns_clone=1 in my localhost, I use my computer 70% for dev, 30% for gaming, so it's important for me being able to run XFCE, Firefox, Docker, Kubernetes, things like that.

Sorry but what you wrote is no fix at all, you simply checked if the module was currently loaded (and they won't be, the exploit however will dynamically load them in). What Liam wrote in the article was a rule to blacklist those modules so they are never loaded.

View this comment - View article - View full comments

Quoting: Ehvis

Quoting: Eike

Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.

Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...

No, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.

Not only for multi-user systems because if you combine this with an exploit in any userland programs that you use (say Firefox) or some daemon that accepts incoming connections from the outside (say sshd or apache) then an attacker will first gain local access over a network through that exploit and then use this exploit to gain root.

View this comment - View article - View full comments

Quoting: leinad965

Quoting: PenguinReminder that PipeWire is now a Snap, so if you remove snapd, your system will be completely silent. I found that amusingly funny 😆

But seriously: packaging PipeWire as a Snap makes no sense to me. I'm not an expert though, so take my opinion with a grain of salt.

Mountain of salt. Pipewire is installed as a deb package not as Snap. It was discussed, but not implemented.

I would say that one reason is the sandboxing and containering that snap would enable for a piece of software that does decoding and encoding of lots of different audio and video formats, formats that historically are filled with security holes in their implementation.

View this comment - View article - View full comments

Quoting: ranger671... I only ask you to wonder why?...

For the simple reason that RUST (and I say this as a die hard C developer) contrary to every other language out there have the potential to give security assurances of the resulting binaries. And having that assurances in the core set of utilities is a good thing.

Secondly since these are new implementations while the old GNU ones are extremely conservatively coded, they can use new and modern algorithms to make these utilities much much faster. For most users this will be an insignificant benefit but for some heavy script users there can be quite huge benefits.

Now the main issue is that some of these utilities are not 100% feature complete yet, but then if no one will ever put them into a distribution then the road to get there will be even longer.

The change of license is highly unfortunate but is something the upstream developers of these utilities decided to to.

View this comment - View article - View full comments

Quoting: UltraViolet

Quoting: F.Ultra

Quoting: hardpenguinThis is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.

For what purpose once can speculate, all we know is that this is due to lobbying from Meta who have spent over $2bn on lobbying efforts for this specifically.

Who can then continue to abuse their users, as age-gating will not be in their control (how convenient)

I would always assume that there is money involved. This whole talk about it being implemented for government control falls IMHO quite flat since Palantir reared it's ugly head, with Palantir the Govmnt already have all info and all control.

The same is true for the ChatControl 2.0 legislation that they want to implement here in the EU (thankfully the parliament have watered down it quite well and right now it is in a form of limbo) which can be traced back to Thorn (owned by Ashton Kutcher and Demi Moore) who sells the software needed to implement it in it's original form and CC2.0 was put forward just days after Ashton had a meeting with then Swedish EU Commissioner Ylva Johansson.

Apple and MS joyfully jumps on the age verification train (AFAIK Apple already have complete implementation of this) in order to put Linux at shame.

View this comment - View article - View full comments

Quoting: hardpenguinThis is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.

For what purpose once can speculate, all we know is that this is due to lobbying from Meta who have spent over $2bn on lobbying efforts for this specifically.

View this comment - View article - View full comments

Quoting: whizse

Quoting: F.Ultraare we 100% sure? The MR consists of 15 commits done one month ago which all seams to be legit and in fact does bring in zink

50% sure! From the comments: "This MR was meant mostly as a half joke for April fool's day, but it works and I think it might be an interesting solution overall."

So a half joke :)

View this comment - View article - View full comments

Quoting: BabaoWhiskyCongrats, it was an April fools joke PR.

are we 100% sure? The MR consists of 15 commits done one month ago which all seams to be legit and in fact does bring in zink

View this comment - View article - View full comments

Quoting: Cloversheen

Quoting: F.UltraThey actually do (to some extent), if you are a songwriter you have to register each work you create to PRS. Organizations that then pay license to PRS have to also track which song is played so the payouts is actually divided per how much your music was played.

How much of this is "in theory"?

Because that seems like an (in reality) impossible task outside planned organised events like a music festival.

I guess that they use different approaches for different venues. Looking at their own website they claim to use "advanced algorithms" for public venues, hopefully that is a bit better than $RANDOM :). I do know that their local equivalent here in Sweden (STIM) gets complete playlists from e.g radio channels due to me having helped out to create an automated database for that for a local radio station years ago.

View this comment - View article - View full comments