The officially official Devuan Forum!

You are not logged in.

#1 2020-04-06 15:28:31

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Bound to happen ...

Hello:

Not that it matters too much to any of us here but ...

---
SystemD found to have code execution bug

A flaw in SystemD could potentially be exploited by a local attacker or malware to elevate their privileges to fully hijack a machine.

The bug, CVE-2020-1712, a heap use-after-free, was discovered and reported by Google's Tavis Ormandy, and fixed in upstream version v245-rc1. Depending on your Linux distro, you may or may not have a vulnerable version installed; check for updates. Red Hat Enterprise Linux 7 is unaffected, for example.
---

https://www.theregister.co.uk/2020/04/0 … y_roundup/
https://cve.mitre.org/cgi-bin/cvename.c … -2020-1712
https://www.openwall.com/lists/oss-secu … 20/02/05/1

Cheers,

A.

Offline

#2 2020-04-06 17:31:40

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Bound to happen ...

Damn, that's the first time I've caught Debian stable with an unfixed bug: https://security-tracker.debian.org/tra … -2020-1712

Oh dear sad

EDIT:

Altoid wrote:

SystemD

It's spelled "systemd" actually. Are you all doing that deliberately to wind me up? mad

Last edited by Head_on_a_Stick (2020-04-06 17:33:14)


Brianna Ghey — Rest In Power

Offline

#3 2020-04-06 18:22:27

golinux
Administrator
Registered: 2016-11-25
Posts: 3,316  

Re: Bound to happen ...

HoaS is an easy wind-up.  big_smile

Actually I suspect that this is the tip of the iceberg.

Used to be that the "wontfix" issues were listed on their stats page.  That went away a year or more ago.  No telling what's buried in there that will come to bite us.

Offline

#4 2020-04-06 18:43:19

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Bound to happen ...

Hello:

Head_on_a_Stick wrote:

It's spelled "systemd" actually.

No idea as I did not actually do any spelling ...
To avoid errors in transcription, I just did a copy/paste from the article at ElReg.

It was already spelt for me.

Head_on_a_Stick wrote:

Are you all doing that deliberately to wind me up?

Nah!
Wouldn't dream of it ...  8^D !!!

Cheers,

A.

Offline

#5 2020-04-06 18:43:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Bound to happen ...

golinux wrote:

HoaS is an easy wind-up.

I can't argue with that...

golinux wrote:

I suspect that this is the tip of the iceberg

Almost certainly given the ridiculous size of the codebase.


Brianna Ghey — Rest In Power

Offline

#6 2020-04-06 19:00:19

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Bound to happen ...

Hello:

golinux wrote:

... suspect that this is the tip of the iceberg.

Which one?
HoaS's windup or systemd?   8^D!

golinux wrote:

Used to be that the "wontfix" issues were listed ...
No telling what's buried in there that will come to bite us.

The won'tfix issues is my main and probably only issue with Linux/Linux maintenance.

They are the stuff problems down the line are made of, that end up festering in dark and unvisited corners of a distribution.
Till one day everything goes titsup because things that were not fixed in time because it seemed they did not matter were not properly evaluated.
And came back to bite, hard.

And then it is either too late or a real bitch to fix and get things back on track again.

Cheers,

A.

Offline

#7 2020-04-07 06:04:06

yeti
Member
From: I'm not here: U R halucinating
Registered: 2017-02-23
Posts: 334  

Re: Bound to happen ...

I just wrote some lines elsewhere about backdoors and dataleaks in phone apps and that I think that 99.674352% of the users care more about having always the newest and flashy toys than for their privacy and security.

Systemd is for this type of users.
And they are many.

I'm only waiting for systemd additionally forcing some app stores into the systems and I'm damn curios about Debian's reaction when Mr.P. tells Debian to ditch APT in favour of his packages system.

Mwhuaaahahahahahahaahahahaa...

Last edited by yeti (2020-04-07 12:07:07)


*𝚛𝚒𝚋𝚋𝚒𝚝!*

Offline

#8 2020-04-07 10:58:49

Dutch_Master
Member
Registered: 2018-05-31
Posts: 285  

Re: Bound to happen ...

I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether smile

Online

#9 2020-04-07 18:22:05

blackhole
Member
Registered: 2020-03-16
Posts: 106  

Re: Bound to happen ...

yeti wrote:

I just wrote some lines elsewhere about backdoors and dataleaks in phone apps and that I think that 99.674352% of the users care more about having always the newest and flashy toys than for their privacy and security.

Those are the "consumers"...  there was a time when "Linux" was aimed at a different kind of user and indeed worked on by a different kind of hacker, rather than a "developer" on the payroll of some fortune 500 corporation.

yeti wrote:

Systemd is for this type of users.
And they are many.

Windows is for that type of user and systemd is merely following the same path of adding more and more feature creep, complexity and attack surface, with zero regard for the things they simply don't care about and which don't fit the business ambitions of IBM/Red Hat.  As with gnome project, as far as systemd project is concerned, users are there as guinea pigs and to be spoonfed, restricted and steered - users in fact have sown the seeds of their own destruction over the last two decades, by simply accepting crap and "automagic" solutions from those who cater to laziness and ineptitude.  If someone is making it easy for you and the OS is "free", start questioning it.

Offline

#10 2020-05-10 01:16:56

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

Altoid wrote:

SystemD found to have code execution bug

A flaw in SystemD could potentially be exploited by a local attacker or malware to elevate their privileges to fully hijack a machine.

Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?

It is laughable when all systemD problems are thought as Pottering mistakes, he is just a general employee under control of RedHat and their sponsors  and can be replaced in a single day if they wanted, though it would not change anything.

What happens to users of systemD is a big agenda from far above its current developer.

Btw, it is my post number 42 tongue

Last edited by bimon (2020-05-10 01:36:43)

Offline

#11 2020-05-10 01:39:23

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

Dutch_Master wrote:

I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether smile

I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.

Hopefully even current Linux kernel is enough for many years to avoid its any major upgrade. Windows XP survived for over 10 years without significant updates and even still yet it is used sometimes in 2020, though released in 2001.

Well and even if it happens we still have good BSD alternatives.

Most likely it would force migration of GNU distros to alternative kernels like kFreeBSD and combining BSD and adapted GNU Linux userspace  software in the same distributions.

Last edited by bimon (2020-05-10 06:17:00)

Offline

#12 2020-05-10 07:42:35

Dutch_Master
Member
Registered: 2018-05-31
Posts: 285  

Re: Bound to happen ...

bimon wrote:
Dutch_Master wrote:

I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether smile

I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.

Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding. For starters, Linus is too independently minded. Remember the finger he gave to nVidia? Then there's the "threat" (for want of a better word) of forking the kernel to keep such a patch out and thus non-systemd distro's alive. And IIRC Linus brought the entire kernel code (or at least his contributions, which are the core of the matter) under the GPLv3, which has a lot more restrictions on claiming IP for it by 3rd parties.

No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist smile

Online

#13 2020-05-10 09:01:34

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Bound to happen ...

bimon wrote:

Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?

Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.


Brianna Ghey — Rest In Power

Offline

#14 2020-05-10 10:08:57

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

Head_on_a_Stick wrote:
bimon wrote:

Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?

Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.

systemD is only named "init system" just for marketing purposes to hide true (in)security hell promoted by it, IMHO actually systemD is much more like a second kernel running in parallel with general kernel and providing many new unified API for easy phoning home, remote control of many desktop program's data, etc.

More details are described here

Many spare/odd (if they would be without systemd) software processes are running, not desired ports listening, main kernel options silently changed without permission, may be something else unpredictable, it is like a living on a volcano.

If systemD would be just another init system, it would not take years from Devuan to throw it out of the distribution and replace with another true init system like OpenRC or any other like it.

https://web.archive.org/web/20200619111 … a-attempt/

Last edited by bimon (2020-07-04 21:20:11)

Offline

#15 2020-05-10 12:17:52

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

Dutch_Master wrote:
bimon wrote:
Dutch_Master wrote:

I'm still awaiting a kernel-patch from Mr Torvalds that obsoletes systemd altogether smile

I am afraid he can obsolete non systemD distros in new kernels, at least while he gets his regular wage check from corporations.

Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding.
No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist smile

It is how Linus was forced to accept kdbus into the kernel:

https://www.youtube.com/watch?feature=p … 2c8#t=1120

Another interesting notice:

Fact #4: The Linux Foundation pays Linus $10 million per year to continue his work on Linux.

https://web.archive.org/web/20200511045 … 8ac30076d/

Anyway I respect his work and efforts related to Linux very much, he is not guilty of how corporations rule this world.

Last edited by bimon (2020-05-11 05:05:18)

Offline

#16 2020-05-11 05:09:38

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

Head_on_a_Stick wrote:
bimon wrote:

Was not systemD introduced as a unification of hosts and their API and also as an easy method to pawn them and control from hardware agencies trojans too (virtualization bootkits in UEFI, boot storage controllers, may be injected by proprietary software like browsers, etc.) ?

Vulnerabilities in UEFI and hard drive firmware operate below ring 0, the init system is irrelevant in those cases.

Cannot they help to bring an invisible virtualization trojan for its further activation being just a storage for its body?

Add here https://flashrom.org/Flashrom code which can be used to reflash devices from any proprietary program like a fat browser or chat client if it was able to run as a root in the system by some type of exploit or by design during installing its services or suid its binaries.

Last edited by bimon (2020-05-11 07:42:30)

Offline

#17 2020-05-11 13:31:03

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

yeti wrote:

I'm only waiting for systemd additionally forcing some app stores into the systems and I'm damn curios about Debian's reaction when Mr.P. tells Debian to ditch APT in favour of his packages system.

Mwhuaaahahahahahahaahahahaa...

Would not it be easier to just provide a good discount for migration to Win10  lol

Last edited by bimon (2020-05-11 13:31:50)

Offline

#18 2020-05-26 15:06:12

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Bound to happen ...

blackhole wrote:

Those are the "consumers"...  there was a time when "Linux" was aimed at a different kind of user and indeed worked on by a different kind of hacker, rather than a "developer" on the payroll of some fortune 500 corporation.

Most likely OpenBSD is like a Linux 20 years ago in terms of its development style and partially its goals, but in addition to a different target audience there is also an outstanding security in the OpenBSD now.

Last edited by bimon (2020-06-05 01:07:25)

Offline

#19 2020-06-18 10:21:57

blackhole
Member
Registered: 2020-03-16
Posts: 106  

Re: Bound to happen ...

Dutch_Master wrote:

Torvalds is NOT paid by corporations, he's not on their payrolls. He's employed by a foundation and although they get donations from various corporations, that doesn't mean it'll do their bidding. For starters, Linus is too independently minded. Remember the finger he gave to nVidia? Then there's the "threat" (for want of a better word) of forking the kernel to keep such a patch out and thus non-systemd distro's alive. And IIRC Linus brought the entire kernel code (or at least his contributions, which are the core of the matter) under the GPLv3, which has a lot more restrictions on claiming IP for it by 3rd parties.

No, I'm not worried about Torvalds getting his arm up corporate bums. He's a geek and coder, not a career-technologist smile

Technically you're quite correct, but in the real world those paying for everything are always assumed to have ultimate control.

Not so long ago, Linux Foundation was writing about it's love of MS (one of the biggest) donors - and you have corporate reps sitting on the LF board of directors, etc.

While he's "independently minded" he also had to tone down his behaviour and introduce a CoC.

The kernel is GPL2. Torvalds alone can't change that and it's mostly developers on the payroll of the large companies who contribute to Linux signing off most commits these days.

Last edited by blackhole (2020-06-18 10:25:52)

Offline

Board footer