It's very cute how everyone's like "THIS DOESN'T AFFECT LINUX SERVERS, WHAT A NOTHING BURGER"
And then half of those same people turn around and go "THIS IS THE YEAR OF LINUX ON DESKTOP!!"
Yeah? You sure about that?
Love to have a community with a rampant, raging disregard for users try to at the same time turn around and court said users. Really makes you feel good about The Year of Linux on Desktop.
I'm not sure there's anything Apple/Microsoft could do to lose with enemies like these.
@thephd
It's not nothing, it was just massively overhyped.
And I don't expose port 631 of my Linux desktops directly to the internet, either.
(BTW: CUPS was originally developed by Apple, but no idea if they still use it)
@Doomed_Daniel But maybe you sometimes use your computer on the same LAN as other people? Maybe you sometimes bring it to a coffee shop or an airport? I know I do
It was overhyped to some degree, but that's mostly thanks to receiving a 9.9 score, which the security researcher had nothing to do with
@mort
Yes, in those situations I might be vulnerable (if I have the affected CUPS service on my laptop), but that's still a lower risk than being directly exposed to the internet.
But, other important point: It was supposed to be a no-interaction RCE, but in reality for anything bad to happen I'd have to print with an unknown printer that just magically appeared on my machine - which
1. means it requires user interaction after all
2. is quite unlikely
@Doomed_Daniel I think the rationale for calling it "no-interaction" is that a user who typically prints something wouldn't have to do anything special, they would just have to print in the way they normally do, with the printer they normally use. But yeah, I agree that the score of 9.9 inflated; it's just also not a nothing-burger, and improtantly, the security researcher isn't the person who did the over-hyping
@mort
It's not the printer they normally use, but a new temporary printer that additionally turns up in the system.
And while the "security researcher" wasn't responsible for the 9.9 score, he *did* overhype this vulnerability on social media (before it was disclosed), see https://x.com/evilsocket/status/1838169889330135132 ("Unauthenticated RCE", "all GNU/LInux systems")
@mort
I mean, by the description it sounded like a vulnerability in the kernel's network stack or glibc's network code or maybe SSH (as this is a service that *is* actually exposed by most Linux systems, including Linux servers that are directly exposed to the internet)
@Doomed_Daniel The "new temporary printer that additionally turns up" can have the same name and metadata as "the printer they normally use", so the distinction is moot.
The only thing I find problematic in their communication is the "all GNU/Linux systems" part, it should've been "almost all desktop GNU/Linux systems".
I also read "9.9 severity CVE in Linux" and thought it was a critical kernel thing, but Simone neither gave it the 9.9 nor decided to strip "GNU" from "GNU/Linux" so 🤷
@mort @Doomed_Daniel You'd still have to switch it away from your default printer manually.
