You are not logged in.
Pages: 1
Hello:
Not that it matters too much to any of us here but ...
---
SystemD found to have code execution bug
A flaw in SystemD could potentially be exploited by a local attacker or malware to elevate their privileges to fully hijack a machine.
The bug, CVE-2020-1712, a heap use-after-free, was discovered and reported by Google's Tavis Ormandy, and fixed in upstream version v245-rc1. Depending on your Linux distro, you may or may not have a vulnerable version installed; check for updates. Red Hat Enterprise Linux 7 is unaffected, for example.
---
https://www.theregister.co.uk/2020/04/0 … y_roundup/
https://cve.mitre.org/cgi-bin/cvename.c … -2020-1712
https://www.openwall.com/lists/oss-secu … 20/02/05/1
Cheers,
A.
Offline
Damn, that's the first time I've caught Debian stable with an unfixed bug: https://security-tracker.debian.org/tra … -2020-1712
Oh dear
EDIT:
SystemD
It's spelled "systemd" actually. Are you all doing that deliberately to wind me up?
Last edited by Head_on_a_Stick (2020-04-06 17:33:14)
Brianna Ghey — Rest In Power
Offline
HoaS is an easy wind-up.
Actually I suspect that this is the tip of the iceberg.
Used to be that the "wontfix" issues were listed on their stats page. That went away a year or more ago. No telling what's buried in there that will come to bite us.
Online
Hello:
It's spelled "systemd" actually.
No idea as I did not actually do any spelling ...
To avoid errors in transcription, I just did a copy/paste from the article at ElReg.
It was already spelt for me.
Are you all doing that deliberately to wind me up?
Nah!
Wouldn't dream of it ... 8^D !!!
Cheers,
A.
Offline
HoaS is an easy wind-up.
I can't argue with that...
I suspect that this is the tip of the iceberg
Almost certainly given the ridiculous size of the codebase.
Brianna Ghey — Rest In Power
Offline
Hello:
... suspect that this is the tip of the iceberg.
Which one?
HoaS's windup or systemd? 8^D!
Used to be that the "wontfix" issues were listed ...
No telling what's buried in there that will come to bite us.
The won'tfix issues is my main and probably only issue with Linux/Linux maintenance.
They are the stuff problems down the line are made of, that end up festering in dark and unvisited corners of a distribution.
Till one day everything goes titsup because things that were not fixed in time because it seemed they did not matter were not properly evaluated.
And came back to bite, hard.
And then it is either too late or a real bitch to fix and get things back on track again.
Cheers,
A.
Offline
I just wrote some lines elsewhere about backdoors and dataleaks in phone apps and that I think that 99.674352% of the users care more about having always the newest and flashy toys than for their privacy and security.
Systemd is for this type of users.
And they are many.
I'm only waiting for systemd additionally forcing some app stores into the systems and I'm damn curios about Debian's reaction when Mr.P. tells Debian to ditch APT in favour of his packages system.
Mwhuaaahahahahahahaahahahaa...
Last edited by yeti (2020-04-07 12:07:07)
*𝚛𝚒𝚋𝚋𝚒𝚝!*
Online
I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether
Online
I just wrote some lines elsewhere about backdoors and dataleaks in phone apps and that I think that 99.674352% of the users care more about having always the newest and flashy toys than for their privacy and security.
Those are the "consumers"... there was a time when "Linux" was aimed at a different kind of user and indeed worked on by a different kind of hacker, rather than a "developer" on the payroll of some fortune 500 corporation.
Systemd is for this type of users.
And they are many.
Windows is for that type of user and systemd is merely following the same path of adding more and more feature creep, complexity and attack surface, with zero regard for the things they simply don't care about and which don't fit the business ambitions of IBM/Red Hat. As with gnome project, as far as systemd project is concerned, users are there as guinea pigs and to be spoonfed, restricted and steered - users in fact have sown the seeds of their own destruction over the last two decades, by simply accepting crap and "automagic" solutions from those who cater to laziness and ineptitude. If someone is making it easy for you and the OS is "free", start questioning it.
Offline
SystemD found to have code execution bug
A flaw in SystemD could potentially be exploited by a local attacker or malware to elevate their privileges to fully hijack a machine.
Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?
It is laughable when all systemD problems are thought as Pottering mistakes, he is just a general employee under control of RedHat and their sponsors and can be replaced in a single day if they wanted, though it would not change anything.
What happens to users of systemD is a big agenda from far above its current developer.
Btw, it is my post number 42
Last edited by bimon (2020-05-10 01:36:43)
Offline
I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether
I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.
Hopefully even current Linux kernel is enough for many years to avoid its any major upgrade. Windows XP survived for over 10 years without significant updates and even still yet it is used sometimes in 2020, though released in 2001.
Well and even if it happens we still have good BSD alternatives.
Most likely it would force migration of GNU distros to alternative kernels like kFreeBSD and combining BSD and adapted GNU Linux userspace software in the same distributions.
Last edited by bimon (2020-05-10 06:17:00)
Offline
Dutch_Master wrote:I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether
I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.
Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding. For starters, Linus is too independently minded. Remember the finger he gave to nVidia? Then there's the "threat" (for want of a better word) of forking the kernel to keep such a patch out and thus non-systemd distro's alive. And IIRC Linus brought the entire kernel code (or at least his contributions, which are the core of the matter) under the GPLv3, which has a lot more restrictions on claiming IP for it by 3rd parties.
No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist
Online
Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?
Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.
Brianna Ghey — Rest In Power
Offline
bimon wrote:Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?
Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.
systemD is only named "init system" just for marketing purposes to hide true (in)security hell promoted by it, IMHO actually systemD is much more like a second kernel running in parallel with general kernel and providing many new unified API for easy phoning home, remote control of many desktop program's data, etc.
More details are described here
Many spare/odd (if they would be without systemd) software processes are running, not desired ports listening, main kernel options silently changed without permission, may be something else unpredictable, it is like a living on a volcano.
If systemD would be just another init system, it would not take years from Devuan to throw it out of the distribution and replace with another true init system like OpenRC or any other like it.
https://web.archive.org/web/20200619111 … a-attempt/
Last edited by bimon (2020-07-04 21:20:11)
Offline
bimon wrote:Dutch_Master wrote:I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether
I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.
Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding.
No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist
It is how Linus was forced to accept kdbus into the kernel:
https://www.youtube.com/watch?feature=p … 2c8#t=1120
Another interesting notice:
Fact #4: The Linux Foundation pays Linus $10 million per year to continue his work on Linux.
https://web.archive.org/web/20200511045 … 8ac30076d/
Anyway I respect his work and efforts related to Linux very much, he is not guilty of how corporations rule this world.
Last edited by bimon (2020-05-11 05:05:18)
Offline
bimon wrote:Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?
Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.
Cannot they help to bring an invisible virtualization trojan for its further activation being just a storage for its body?
Add here https://flashrom.org/Flashrom code which can be used to reflash devices from any proprietary program like a fat browser or chat client if it was able to run as a root in the system by some type of exploit or by design during installing its services or suid its binaries.
Last edited by bimon (2020-05-11 07:42:30)
Offline
I'm only waiting for systemd additionally forcing some app stores into the systems and I'm damn curios about Debian's reaction when Mr.P. tells Debian to ditch APT in favour of his packages system.
Mwhuaaahahahahahahaahahahaa...
Would not it be easier to just provide a good discount for migration to Win10
Last edited by bimon (2020-05-11 13:31:50)
Offline
Those are the "consumers"... there was a time when "Linux" was aimed at a different kind of user and indeed worked on by a different kind of hacker, rather than a "developer" on the payroll of some fortune 500 corporation.
Most likely OpenBSD is like a Linux 20 years ago in terms of its development style and partially its goals, but in addition to a different target audience there is also an outstanding security in the OpenBSD now.
Last edited by bimon (2020-06-05 01:07:25)
Offline
Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding. For starters, Linus is too independently minded. Remember the finger he gave to nVidia? Then there's the "threat" (for want of a better word) of forking the kernel to keep such a patch out and thus non-systemd distro's alive. And IIRC Linus brought the entire kernel code (or at least his contributions, which are the core of the matter) under the GPLv3, which has a lot more restrictions on claiming IP for it by 3rd parties.
No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist
Technically you're quite correct, but in the real world those paying for everything are always assumed to have ultimate control.
Not so long ago, Linux Foundation was writing about it's love of MS (one of the biggest) donors - and you have corporate reps sitting on the LF board of directors, etc.
While he's "independently minded" he also had to tone down his behaviour and introduce a CoC.
The kernel is GPL2. Torvalds alone can't change that and it's mostly developers on the payroll of the large companies who contribute to Linux signing off most commits these days.
Last edited by blackhole (2020-06-18 10:25:52)
Offline
Pages: 1