I suppose I would avoid connecting to untrusted networks, or avoid opening print dialogs while on them, or uninstall CUPS until a fix is available.

Even the Linux kernel / Linux Torvalds are moving towards Rust.

No, they aren’t. They are experimenting with it in certain new device drivers. No move is planned, and it’s too early to tell whether there will ever be one.

That refers to the fact that printer advertisements can contain lies: When you see a familiar printer name appear on a network, it could always be an impostor secretly pointing to the address of a malicious device.

So my first advice stands: Avoid interaction with untrusted or potentially compromised print servers.

To be clear, when I say “interaction”, I don’t just mean printing to them. I mean any interaction at all. Even just browsing a network for printers could potentially mean your system contacts the devices at the advertised addresses, and receives data from them. This Qualys report doesn’t make clear whether this kind of interaction is safe, so I have to assume for now that it is not.

Either of these commands will reveal processes listening on the port that’s vulnerable by default:

$ sudo lsof -i :631

$ sudo fuser -v 631/tcp 631/udp

The wording of this post gives me the impression that it could exploited even if you don’t have any such processes, if your system contacts a malicious or compromised print server. I would avoid browsing or using printers on unsafe networks until this is patched.

The port 631 process just makes it worse, by allowing someone else to initiate that contact remotely.

Based on this…

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system’s cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker’s code to run on the target system.

…it seems the exploit can be triggered either remotely through your CUPS instance listening on port 631, or locally by interacting with a malicious/compromised print server.

So if I understand correctly, shutting down that port wouldn’t be enough by itself. You would also have to keep your system from initiating contact with such a server, such as by using a public printer, or conceivably even just browsing printers at a cafe/business/school. I haven’t read the exploit details, so I don’t know which interactions are safe, if any.

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server.

Okay, so at least until this is patched, it would be a good idea to shut down any CUPS-related process that’s listening on port 631, and avoid interaction with untrusted or potentially compromised print servers.

Either of these commands will list such processes:

$ sudo lsof -i :631

$ sudo fuser -v 631/tcp 631/udp

I don’t want to diminish the urgency of this vulnerability, but it is worth noting that “affecting all GNU/Linux systems” does not mean that every affected system is actually running the vulnerable code. Some installations don’t run print services and don’t ever communicate with printers.

Also, I suspect that the author’s use of “GNU” in that warning is misleading, potentially giving a false sense of security. (Sadly, a certain unfortunate meme has led many people to think that all Linux systems are GNU systems, and the author appears to be among them.) I don’t see any reason to think musl builds of CUPS are immune, for example, so I don’t assume my Alpine systems are safe just because they are not GNU/Linux.

Whenever I see posts like this, I wonder if they cover manual loop unrolling, which these days is usually an optimization left to the compiler.

Control+F, Duff’s Device

Yep, this post mentions it. Good for them. :)

It’s worth keeping in mind that your network is not the only network in the world, and WiFi is not the only kind of link.

Neighbors exist. Open guest networks exist. Drive-by and fly-by networks exist. Mesh networks exist (and are already created by devices like Amazon Echo for use by other devices in the neighborhood). Special-purpose networks quietly created by internet providers using their CPE exist. Satellite links exist, and have been getting smaller and cheaper; maybe enough for a TV before long. Power line networking exists, and can reach across property lines. Bluetooth, LoRa, cellular, etc. etc. etc.

I’m not suggesting that all smart TVs make use of these things today, but some of them are already capable, and since the capabilities are increasingly cheap and easy to implement, they will almost certainly become more common in the years to come. Let’s also remember that behavior that is not documented or enabled at purchase time can be enabled later, and sometimes is.

If I were buying today, it wouldn’t be a smart TV. I would instead look at gaming console monitors, computer monitors, projectors, dumb TVs, and commercial displays. That way I wouldn’t be showing manufacturers that spyware appliances are okay with me, nor giving them money in support of spyware product lines.

If I already had a smart TV and wasn’t in a position to replace it with something trustworthy, I would mod it: Open it up, find any network-capable components inside, and physically disconnect them. (Or if I didn’t have those skills, I would get a qualified friend or electronics repair shop to do it for me.)

All desktop environments are fancy compared to a simple window manager.

threat actors backed by Beijing broke into a “handful” of U.S. internet service providers

Which ISPs?

Also, it would Be(e) better to link the original article (archived here), rather than this secondary reporting based on it.

https://en.wikipedia.org/wiki/IEEE_754

Which KDE Neon download contains the current 6.2 beta?

(I ask because last time I tried to test a beta, none of them did.)

FWIW, I think it’s too early to tell where this will end up.

On the one hand, it’s possible that machine-manipulated (or even machine-generated) voices will supplant most of the demand for voice actors, much like modern photo/image tools and cheap crowd sourcing supplanted much of the demand for professional photographers.

On the other hand, the legal issues (and possible protections) around human likeness and unauthorized use of existing work are in their infancy, and we’re already seeing a lot of mediocre-to-bad output from content generating machines.

It should be interesting to see how this all unfolds.

No, it does not. The closest it comes is allowing a PC to take control of a mobile client on the same local network. That might be a convenient way to type with a full-sized keyboard if you have both devices in the same place, but it is not what people mean when talking about multi-device support.

https://archive.ph/HcVVC

I didn’t know that; thanks for sharing.

(BTW, I think you meant wreaking havoc.)

I don’t care how they estimate their cost in dollars. I think the cost to all of us in environmental impact would be more interesting.

Not to be confused with Khaaan!

The title of this post should probably include the words console and mobile.

SimpleX also loses messages if you don’t pick them up in time. Going on vacation for a few weeks could be problematic, for example.