@jn overall it all feels not serious at all to me. Yes, the vuln is real. But not only did they not notify any mainstream linux distro, but they have the audacity to say these distros that haven't been notified, actually have the vuln patched already which is false.

That combined with "hey our AI solution detected this based on human analysis!!" .. ugh

@jn it's all AI generated, so yes of course there's lots of immature marketing...

"jn[?] this disclosure" :P

@mntmn I've daily driven a Linux phone before, and I continue to daily drive a (muuuuch less powerful, armv7) tablet with pmOS on it. My main gripes on pmOS right now (which I and obviously everyone else hope will be fixed) is the overall reliability of things like calls and audio.

Other than that, I think it's becoming what Android used to be in 2012 to me. I feel pmOS is slowly becoming what Android used to be in 2012, a pretty good phone/etc OS with a huge and growing hacker community.

Anyone saying "Scientists don't want you to know this fact" has never met a scientist.

Scientists are famous oversharers.

@CyReVolt Yes, but it'd be easier to know if it wasn't all obfuscated.

Dear #gitlab a Work Item is not something I want to be concerned with in #FreeSoftware stuff I do in my free time. Can't we have names that are more motivating like "Puzzles to solve"?

@alexanderkjall they also had time to obfuscate their exploit.

@simonzerafa @alexanderkjall How do distros know that there is a vulnerability in the wild?

Today I have spent way too much time handling the https://copy.fail situation #copyfail

The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.

But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.

I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.

@CyReVolt What's the point? You're not going to run this in an embedded environment with only 64K of SRAM available?

@PeterMotte This was just a silly computer joke. "GPT" can also mean "GUID Partition Table".

I don't understand the hate against GPT. I think it's a great technology, and definitely a step in the right direction. Of course there are those who will resist it, but we should all accept it's here to stay.

For example, having a backup copy of the partition table at the end of the disk greatly increases the chances of being able to recover from disk corruption at the first few sectors of the disk.

...chatbot? What chatbot?

Has anyone wondered why the CopyFail PoC is so heavily obfuscated?

That's a legit question. Isn't a PoC supposed to be clear so you know what you're trying to defend against?

CopyFail Was Not Disclosed to Distros : https://www.openwall.com/lists/oss-security/2026/04/30/10

#CopyFAil

Update: not available
I'm donating #Pixel3 with installed #PostmarketOS #Phosh edge. It helps me open #mobileLinux world and now I prefer a more modern hardware.

I'd be happy to post it to someone who needs it as long it's in the EU. No payment needed.

You can also come collect it in #Helsinki

#fediGiveFi

https://wiki.postmarketos.org/wiki/Google_Pixel_3_(google-blueline)

Update:
Thank you for the support. I'm going to send the phone to Hamburg. Happy coding!

#cats

@cas At this point the only reason why I still run Android is because I can degoogle most of it rather easily and because I can install other OSes such as pmOS on my phone without being reliant on someone discovering some tethered vuln in iBoot. (though yes, pmOS does run on iPhones :)

that's why I run android instead of iOS. Other than that I hate the thing now. Android now isn't the Android I remember being excited about using in 2012 :(

My main issue with postmarketOS isn't really the app selection (given it's also quite barebones on degoogled Android), but rather just the reliability of it all. I've daily driven pmOS on my phone at some point, and really mostly calls and audio were unreliable, enough for many people IRL to complain about me not answering calls. :P

@cas At this point the only reason why I still run Android is because I can degoogle most of it rather easily and because I can install other OSes such as pmOS on my phone without being reliant on someone discovering some tethered vuln in iBoot. (though yes, pmOS does run on iPhones :)

that's why I run android instead of iOS. Other than that I hate the thing now. Android now isn't the Android I remember being excited about using in 2012 :(

My main issue with postmarketOS isn't really the app selection (given it's also quite barebones on degoogled Android), but rather just the reliability of it all. I've daily driven pmOS on my phone at some point, and really mostly calls and audio were unreliable, enough for many people IRL to complain about me not answering calls. :P

@elly @domi @moses_izumi don't you get it? the fedi is the website? :p

Quickly dove into the copy.fail exploit.

1. Yes, it's real.
2. Current chain can write any arbitrary content to any user-readable file (into the page cache).
3. Current chain relies on an available target suid binary that you can open() as a lowpriv user.
4. Current exploit relies on that binary being /bin/su and then being able to execve(/bin/sh, 0, 0) (which doesn't work on alpine, etc.). The former is easily replaced in the code. The latter needs a rebuilt payload ELF (also easy).