I suppose I would avoid connecting to untrusted networks, or avoid opening print dialogs while on them, or uninstall CUPS until a fix is available.

Even the Linux kernel / Linux Torvalds are moving towards Rust.

No, they aren’t. They are experimenting with it in certain new device drivers. No move is planned, and it’s too early to tell whether there will ever be one.

That refers to the fact that printer advertisements can contain lies: When you see a familiar printer name appear on a network, it could always be an impostor secretly pointing to the address of a malicious device.

So my first advice stands: Avoid interaction with untrusted or potentially compromised print servers.

To be clear, when I say “interaction”, I don’t just mean printing to them. I mean any interaction at all. Even just browsing a network for printers could potentially mean your system contacts the devices at the advertised addresses, and receives data from them. This Qualys report doesn’t make clear whether this kind of interaction is safe, so I have to assume for now that it is not.

Either of these commands will reveal processes listening on the port that’s vulnerable by default:

$ sudo lsof -i :631

$ sudo fuser -v 631/tcp 631/udp

The wording of this post gives me the impression that it could exploited even if you don’t have any such processes, if your system contacts a malicious or compromised print server. I would avoid browsing or using printers on unsafe networks until this is patched.

The port 631 process just makes it worse, by allowing someone else to initiate that contact remotely.

Based on this…

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server. The system’s cups-browsed service then connects back, fetching printer attributes, which include malicious PPD directives. When a print job starts, these directives execute, allowing the attacker’s code to run on the target system.

…it seems the exploit can be triggered either remotely through your CUPS instance listening on port 631, or locally by interacting with a malicious/compromised print server.

So if I understand correctly, shutting down that port wouldn’t be enough by itself. You would also have to keep your system from initiating contact with such a server, such as by using a public printer, or conceivably even just browsing printers at a cafe/business/school. I haven’t read the exploit details, so I don’t know which interactions are safe, if any.

Exploitation involves sending a malicious UDP packet to port 631 on the target, directing it to an attacker-controlled IPP server.

Okay, so at least until this is patched, it would be a good idea to shut down any CUPS-related process that’s listening on port 631, and avoid interaction with untrusted or potentially compromised print servers.

Either of these commands will list such processes:

$ sudo lsof -i :631

$ sudo fuser -v 631/tcp 631/udp

I don’t want to diminish the urgency of this vulnerability, but it is worth noting that “affecting all GNU/Linux systems” does not mean that every affected system is actually running the vulnerable code. Some installations don’t run print services and don’t ever communicate with printers.

Also, I suspect that the author’s use of “GNU” in that warning is misleading, potentially giving a false sense of security. (Sadly, a certain unfortunate meme has led many people to think that all Linux systems are GNU systems, and the author appears to be among them.) I don’t see any reason to think musl builds of CUPS are immune, for example, so I don’t assume my Alpine systems are safe just because they are not GNU/Linux.

I have heard that you don’t need a lawyer in small claims court (in the sense that it’s not really expected). Like I said, though, I know little about it. Maybe someone in a position to know will show up in this thread and fill us all in.

Whenever I see posts like this, I wonder if they cover manual loop unrolling, which these days is usually an optimization left to the compiler.

Control+F, Duff’s Device

Yep, this post mentions it. Good for them. :)

I think the US small claims court is meant to handle situations like this (although I know little about it). I wonder if it’s available to litigants from other countries.

It’s worth keeping in mind that your network is not the only network in the world, and WiFi is not the only kind of link.

Neighbors exist. Open guest networks exist. Drive-by and fly-by networks exist. Mesh networks exist (and are already created by devices like Amazon Echo for use by other devices in the neighborhood). Special-purpose networks quietly created by internet providers using their CPE exist. Satellite links exist, and have been getting smaller and cheaper; maybe enough for a TV before long. Power line networking exists, and can reach across property lines. Bluetooth, LoRa, cellular, etc. etc. etc.

I’m not suggesting that all smart TVs make use of these things today, but some of them are already capable, and since the capabilities are increasingly cheap and easy to implement, they will almost certainly become more common in the years to come. Let’s also remember that behavior that is not documented or enabled at purchase time can be enabled later, and sometimes is.

If I were buying today, it wouldn’t be a smart TV. I would instead look at gaming console monitors, computer monitors, projectors, dumb TVs, and commercial displays. That way I wouldn’t be showing manufacturers that spyware appliances are okay with me, nor giving them money in support of spyware product lines.

If I already had a smart TV and wasn’t in a position to replace it with something trustworthy, I would mod it: Open it up, find any network-capable components inside, and physically disconnect them. (Or if I didn’t have those skills, I would get a qualified friend or electronics repair shop to do it for me.)

Good question. Please see my follow-up comment.

Not putting your WiFi password in would absolutely be reliable.

No, it would not.

I’d love to hear your ideas on how they’d remotely break into your WiFi Network

They wouldn’t, of course, nor did I say they would.

(But since you brought it up, we have already seen internet providers quietly using their CPE to create special-purpose wireless networks surrounding customers’ homes. These could obviously be made available to any company that paid the ISP for access, just as cellular networks have been made available to companies like OnStar. So a TV could do this with a business deal rather than breaking in to your normal WiFi.)

However, your network is not the only network in the world, and WiFi is not the only kind of link. Neighbors exist. Open guest networks exist. Drive-by and fly-by networks exist. Mesh networks exist (and are already created by devices like Amazon Echo). Power line networking exists. Bluetooth, LoRa, cellular, etc. etc. etc. Maybe you live on an isolated mountain top where these things are unlikely to reach you (at least until satellite links become a little smaller and cheaper) but even that is not absolute, and most of us don’t.

Unless you disassemble your TV and examine all the components within, and know what they do, it could have any number of these capabilities.

Also, partly due to how prevalent multi-network support is becoming in electronics integration, it is not unusual for related functionality to be dormant at first yet possible to activate later.

I’d love for you not to be adversarial, and to learn more about a topic before making bold claims about it in absolute terms.

Friendly reminder that gaming console monitors, computer monitors, projectors, dumb TVs, and commercial displays exist.

Yes, I could hack a smart TV to disable its networking capabilities. (Merely withholding my wifi password is not reliable.) But that would still be showing the manufacturers that I find spyware TVs acceptable, and supporting the production of those models.

Also, this would be a good time to pressure our legislators into criminalizing this nonsense.

It’s disappointing to see that a couple dozen people decided to hit your post with drive-by downvotes, rather than using their words to express themselves in a way that actually contributes to this community.

Your question is a legitimate one, and relevant at a time when Windows is increasingly bloated and invasive, spyware is out of control, and Linux is increasingly a viable alternative even in certain tough areas like games. I just wish you had elaborated on why you singled out Ubuntu when several other widely-supported Linux distributions exist.

If those were my only two options, I would pick Ubuntu over Windows, no contest. I would replace its default desktop with KDE Plasma (or just choose the Kubuntu variant in the first place), rip out as much of Snap as I could, update the kernel, and plan to migrate to a distro that I like better whenever I was able.

For what it’s worth, Debian Stable with a few hand-picked backports and flatpacks suits me well, mainly for gaming and software development. (I’m a bit of an outlier among Linux users who post on social media, though: Having my system be low-maintenance is more important to me than always having the latest features in every app, and I’ve been known to make my own debian packages and flatpaks when something I want isn’t ready-made.)

Linux Mint, Pop_OS, and Arch Linux are also popular. There are quite a few more.

All desktop environments are fancy compared to a simple window manager.

threat actors backed by Beijing broke into a “handful” of U.S. internet service providers

Which ISPs?

Also, it would Be(e) better to link the original article (archived here), rather than this secondary reporting based on it.

Our capitulation to the virus is a combination of a population where most are now many months or years from their last vaccine dose, and that vaccine dose was in any case poorly cross-protective for the very distinct current variants.

I think most people don’t realize just how important that first part is. Many seem to believe a dose will keep them safe (and no longer dangerous to others) for at least a year, but that’s a mistake. Even our best Covid vaccines don’t protect for years or decades like the vaccines we’re accustomed to from childhood.

Immunity from these new shots wanes rapidly, reaching less than 20% effectiveness after just 6 months.

Sorry; the new tool, then. A bug report is a good first step toward getting those APIs supported in Wine. (Even undocumented things are sometimes added.)

Thanks for sharing.

What errors are logged by Wine when FWUpdater the new tool fails to run? If you file a bug report, it might get fixed.

I guess that makes sense. I haven’t used Discord in a while, but I think tags are less noisy over there, since they don’t render as something long like @someusername@somelemmysite.example.com. I avoid unnecessary tags on Lemmy because all that extra syntax makes for cluttered comments.