It's very cute how everyone's like "THIS DOESN'T AFFECT LINUX SERVERS, WHAT A NOTHING BURGER"
-
It's very cute how everyone's like "THIS DOESN'T AFFECT LINUX SERVERS, WHAT A NOTHING BURGER"
And then half of those same people turn around and go "THIS IS THE YEAR OF LINUX ON DESKTOP!!"
Yeah? You sure about that?
Love to have a community with a rampant, raging disregard for users try to at the same time turn around and court said users. Really makes you feel good about The Year of Linux on Desktop.
I'm not sure there's anything Apple/Microsoft could do to lose with enemies like these.
-
Hector Martinreplied to Björkus "No time_t to Die" Dorkus last edited by
@thephd To be fair as far as I can tell Fedora doesn't even ship with cups-browsed enabled by default, nor the firewall hole to allow it inbound UDP.
And then the whole thing is remote code execution... as the lp user. Which on any reasonably configured system shouldn't be able to do things like read your home directory.
And you need to actually print to the printer to trigger it.
If it doesn't affect servers, and it only affects some desktop distros, and it needs user action (and a user action that isn't that common these days), and it's highly unlikely to be triggerable remotely for most desktop systems (firewalled or NATed) so you need LAN access, and at the end of the day it's only code execution as a limited privileges system user... then yeah, it pretty much qualifies as a nothingburger.
Distros will patch this, desktop users will update their system (happens a lot more consistently than servers), and life will move on with most likely zero exploited users.
-
✧✦✶✷Catherine✷✶✦✧replied to Hector Martin last edited by
-
Hector Martinreplied to ✧✦✶✷Catherine✷✶✦✧ last edited by
@whitequark @thephd My understanding is the target command is executed as the lp user after dropping privileges. It's not some deep CUPS vuln causing an unexpected RCE, it's largely functionality that is Working Insecurely As Intended and a couple stupid logic bugs that fail to stop it from actually being exploitable.
-
✧✦✶✷Catherine✷✶✦✧replied to Hector Martin last edited by
-
✧✦✶✷Catherine✷✶✦✧replied to ✧✦✶✷Catherine✷✶✦✧ last edited by
-
Jan Wildeboer 😷:krulorange:replied to ✧✦✶✷Catherine✷✶✦✧ last edited by
@whitequark @marcan @thephd @till On which OS? Ubuntu? Debian? RHEL?