334
submitted 2 months ago by Flax_vert@feddit.uk to c/selfhosted@lemmy.world
you are viewing a single comment's thread
view the rest of the comments
[-] Mondez@lemdro.id 58 points 2 months ago

This disclosure has been rushed for the views and hype IMO, none of the big distros had fixes ready to go on this this morning.

[-] purplemonkeymad@programming.dev 14 points 2 months ago

Yea I didn't think the post was that professional. Also the "unminified" version is just the minified with more white space. It still has poor names and no explanation of the binary blob.

[-] jj4211@lemmy.world 2 points 2 months ago

Looking at the binary blob, it's a payload to assume privileges as possible and exec sh. So replace su with that and the binary gets to use su's filesystem privileges without needing access to actually write it.

The vulnerability part is when the door opens to replace any file's read cache with arbitrary content. The binary payload is just an obvious example of the sort of payload that could do a ton of damage.

[-] WhyJiffie@sh.itjust.works 1 points 2 months ago

tbh they could have boasted even less bytes by just having everything in a zlib.decompress()

[-] ShortN0te@lemmy.ml 5 points 2 months ago

The patches where proposed over a month ago and the patch to the kernel was commited on 1th of April.

Either the Vulnerability was not proper communicated to the distro maintainers or they were the ones sleeping.

This was probably executed as a responsible discllsure where clear timelines and release dates get communicated from the beginning.

I find it hard to blame the security team here when there was 1 month of time between first commited patch and release of the PoC.

[-] WhyJiffie@sh.itjust.works 6 points 2 months ago

and the patch to the kernel was commited on 1th of April.

are you sure? what I have seen in git patch dates is 11th for the unreleased 7.0, and yesterday for the LTS versions

[-] ShortN0te@lemmy.ml 2 points 2 months ago
[-] WhyJiffie@sh.itjust.works 3 points 2 months ago

the debian cve tracker also links to that page, but they have written 7.0-rc7 besides it.

https://security-tracker.debian.org/tracker/CVE-2026-31431

the openwall link has some comments that talk about the delayed patches, Greg KH also commented.

[-] ShortN0te@lemmy.ml 2 points 2 months ago

7.0-rc7 is probably due to the 7.0 release early mid april. So the fix was in the mainline on 1st of April. The commit on 11th from GKH was probably due to the release.

I am not that familiar with the commit and release structure to get more into detail. But to me it clearly looks like the statement on copy.fail is correct, that the fix was in mainline on 1st of April.

From my point of view, I would suggest that maybe the communication downstream to the distros was not handled that well? But who would be to blaim? The researches that would need to communicate this issue to most existing distros? Linux maintainers? Distro maintainers?

Hard to say, without knowing the communication of the related mailinglists and disclousre etc.

this post was submitted on 30 Apr 2026
334 points (98.3% liked)

Selfhosted

60526 readers
695 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS