@tezoatlipoca@mas.to2026-05-01 15:41:26
@tezoatlipoca@mas.to2026-05-01 15:41:26
@selea@social.linux.pizza2026-04-29 20:13:04
The #copyfail exploit is not fun...
@darkrat@chaosfurs.social2026-04-29 19:26:45
Holy. Fucking. Fuckballs.
This exploit is... insane.
> An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root
https://copy.fail/
@mgorny@social.treehouse.systems2026-05-02 05:55:56
Greg Kroah-Hartman: "If you look there are thousands of unfixed CVEs in the older LTS kernels right now, and if distros or users that rely on those older branches wish to see those resolved, they need to provide working backports to us to apply, as our first attempt did not work (which is why they are unfixed in those branches.)"
Really asking for a "Pray tell us", given that nobody actually bothered disclosing the problem to downstreams and that the commit message was hiding it.
Either way, apparently the great LLM-backed patch backporting process that #NVidia is so proud of doesn't really work. Upstream doesn't really care about #LTS branches, and they should be considered insecure by default.
#Gentoo #Linux #CopyFail #security
@mgorny@social.treehouse.systems2026-04-30 05:38:38
So you read about #CopyFail, and are like… owww, shit. But then you see that it was responsibly disclosed after being fixed in main, we had releases since, they went stable in #Gentoo (over other #security fixes), so we should be good, right?
Except that it turns out that after it has been fixed in mainline, nobody bothered actually backporting the fix to all the LTS branches. And it doesn't apply cleanly (#Gentoo #Linux