this is why you don't contact distro mailing list. responsible disclosure is dead.

At present it looks to me like the embargo was broken by someone identifying the patch as fixing a vulnerability, not someone leaking the mailing list.

More information may come out, or I might be missing something, but assuming that the above is accurate, this isn't a problem with responsible disclosure or mailing list opsec; it's a problem with the nature of open source. Right? Or are folks seriously proposing that the patch/mitigations should have been circulated to distro maintainers privately before going to mainline?

> Or are folks seriously proposing that the patch/mitigations should have been circulated to distro maintainers privately before going to mainline?

I always assumed that distro maintainers got early access to patches before going mainline but maybe that’s not true?

to which distros? how do you ensure fairness? Do you report this to the maintainer of Red Star OS (north korea)?

The kernel security team was given the heads up a month ago. At that point it is their decision.

There are channels like the distro security mailing list https://oss-security.openwall.org/wiki/mailing-lists/distros for this purpose.

so what? we should never disclose anything? this will only result in companies suppressing disclosure and leaving vulnerabilities unpatched.

are you sure containerization would be more secure? this is also a rootless podman escape. the lesson here is to not give random people shell access to your systems.

No, I meant that I'd resisted doing anything with Docker for its entire existence and just finally gave in and started messing with podman.

I have amazing timing.

this is because the `su` binary is replaced with x86 shellcode, replace it with aarch64 and it will work just the same.

there is a PoC floating around for Alpine.

it's advertising their AI, not the talents of their humans :D

People are confusing the presentation layer with the content, just a surface layer analysis. Basically people are feeling so burnt by reading AI fluff that they make a rushed judgement.

Writing something by hand requires effort and signals seriousness. It's not unreasonable to take things less seriously when they come wrapped in low-effort packaging.

Sometimes that effort is better spent on other things.

It's not the effort or the lack thereof here that's the issue, but rather the message you're sending by using slop tools to create the design of the advertisement of your research. It looks cheap.

I'm sure that, at first glance, many more people would take this much more seriously had the authors gone with a style-less HTML page or something, and that'd require _less_ effort, not more.

I have heard this logic before, defending over-engineering the looks to hide a brittle backed. Both sides look very entrenched on their position, I lean more towards having a solid backend and see the polished frontend as a waste of effort, but I understand your logic of seeing it as professionalism. My point is that you are not sending only one message by using a cheap slop static html: some will see lazy and cheap people, some will see people focusing on the real thing with no time or willingness to make shiny sites.

You can make a simple and serious website pretty easily now. Don’t need the shiny part

i mean, it doesn't work on any SELinux, but it's still quite severe anyhow

Have you got any info about this. 'seinfo -c' shows there is an alg_socket class. I presume this permission is required to be able to create an AF_ALG socket:

    $ sesearch -A -c alg_socket -p createallow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
    allow container_device_plugin_init_t container_device_plugin_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_plugin_t container_device_plugin_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_t container_device_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_engine_t container_engine_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_init_t container_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_kvm_t container_kvm_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logreader_t container_logreader_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logwriter_t container_logwriter_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_userns_t container_userns_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow openshift_app_t openshift_app_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow openshift_t openshift_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow spc_t unlabeled_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow staff_t staff_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };
    allow sysadm_t sysadm_t:alg_socket { accept append bind connect create getopt ioctl listen lock read setattr setopt shutdown write };
    allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
    allow user_t user_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };

... that's a lot of domains, including container_t and user_t; and obviously anything unconfined_t can't be expected to be restricted.

(Maybe you & others are specifically thinking of Android's policy?)

sorry yeah, I saw not exploitable on Android and thought most SELinux would be ok. Not super sure on this case what the surface is

ctrl + o isn't live - that's not what users want, what users want is the OPTION to choose what we want to see.

not surprised about the chrome part, but pretty shocked at the phone OS part. I know APFS migration was done in this way, but wouldn't storage considerations for this be massive?

what would be more massive would be phones not booting up because of a botched update. this way you can just switch back to the old partition

Not really, because only the OS core is swapped in this way. Apps and data live in their own partitions/subvolumes, which are mutable and shared between OS versions.

The OS core is deployed as a single unit and is a few GB in size, pretty small when internal storage is into the hundreds of GB.