279: CUPS Vulnerability, Tails OS + Tor, Ubuntu 24.10, COSMIC Alpha 2 & more Linux news

This week in Linux, we have a lot of great news and a little bit of some unfortunate news regarding a vulnerability with the CUPS printing system. Now, it’s not as bad as people are claiming, but we’ll get to that in a bit. We also have the merger of the Tor project and the Tails OS project, which is really cool, and Ubuntu 24.10 beta is now available, as well as the Cosmic Desktop has reached an alpha 2 that is now available for download and testing. All of this and more on This Week in Linux, the show that keeps you up to date with what’s going on in the Linux and Open Source world. So let’s jump right into Your Source for Linux GNews.

Forum Discussion Thread

Download as MP3

Support the Show

Become a Patron = tuxdigital.com/membership
Store = tuxdigital.com/store

Chapters:

00:00 Intro
00:47 CUPS Remote Code Execution Vulnerability
06:06 Tor Project & Tails OS Join Forces
08:58 Ubuntu 24.10 Beta Available
12:09 COSMIC Desktop Alpha 2 Available
17:16 Valve Engineer Hopes to Accelerate Wayland Development
19:54 Valve to directly collaborate with Arch Linux
21:42 Support the show

Links:

Transcript

Michael:
[0:00] This week in Linux, we have a lot of great news and a little bit of some unfortunate news regarding a vulnerability with the CUPS printing system. Now, it’s not as bad as people are claiming, but we’ll get to that in a bit. We also have the merger of the Tor project and the Tails OS project, which is really cool, and Ubuntu 24.10 beta is now available, as well as the Cosmic Desktop has reached an alpha 2 that is now available for download and testing. All of this and more on This Week in Linux, the show that keeps you up to date with what’s going on in the Linux and Open Source world. So let’s jump right into Your Source for Linux GNews.

Michael:
[0:46] A new set of security vulnerabilities have been disclosed in the open printing common Unix printing system, or CUPS, on various Linux systems. It also can affect other ones, but we’re going to be talking about the Linux one, obviously. And that could permit remote code or remote command execution under certain conditions. You may have seen a lot of discussion on this topic, and there is a lot of people saying how bad it is with having ratings of 9.9 out of 10 or 9.1 out of 10, but there’s more to it than that. And it’s actually not that bad. It’s bad, but it’s not that bad. Before I move on to the details, patches are available so even if you aren’t badly affected by this, run upgrades because at some point you may want to print someday. Now security researcher Simone Margaritelli, I probably said that wrong, if I did I apologize, aka Evil Socket, I got that one right, pretty confident about that one, is the person who found this and revealed it and says that a remote unauthenticated attacker can silently replace existing printers or install new ones IPB URLs with a malicious one resulting in arbitrary command execution on the computer when a print job is started from that computer now who is affected by this well I.

Michael:
[2:10] A lot and also not that much. So various different distributions provide CUPS in a different way. So for example, CUPS, or more specifically, the CUPS BrowseD service is generally installed on desktop computers and servers configured as print servers. And the exploit chain is not completed unless the print job is sent. So if you never print, then you can’t have the chain completed. So therefore, it’s not really going to be a big deal. even if the vulnerable packages are installed and enabled. But in some distributions, it’s not going to be enabled. For example, Fedora and Red Hat have it installed, but not enabled, whereas Ubuntu and Debian do have it enabled. Now, there are four CVEs that make this whole thing. So four CVEs have been assigned that together form a high-impact exploit chain surrounding CUPS, and by chaining this group of vulnerabilities, together an attacker can potentially achieve remote code execution, which is basically the worst kind of attack, which could then lead to theft of sensitive data or damage to critical systems. And some sites are saying that this vulnerability is a 9.1 and others are saying it’s a 9.9.

Michael:
[3:24] But it’s it’s not that bad. So Benjamin Harris, CEO of Watchtowr, says that it looks like the embargoed Linux unauth RCE vulnerabilities that have been touted as doomsday for Linux systems may only affect a subset of systems. And Satnam Narang, Senior Staff Research Engineer at Tenable, says that these vulnerabilities are not at a level of log4shell or heartbleed, which those were basically at a 9.9 out of 10 critical, and those made sense to be that. This one, not so much. Bad, but not that bad. Now, Now, cybersecurity firm Rapid7 pointed out that affected systems are exploitable either from the public internet or across network segments only if UDP port 631 is accessible and the vulnerable service is listening. However, blocking UDP port 631 will not effectively prevent exploitation on a LAN. It will prevent it on the public internet connection, but not on a LAN. So as there are like secondary channels and that sort of stuff to facilitate the exploitation. exploitation such as MDNS, for example. Now, exploitation of these vulnerabilities is possible through the following chain of events. It takes a lot of things to make this happen. The CUPS BrowseD service has been enabled by either your distro or you manually.

Michael:
[4:48] And an attacker has access to vulnerable server, which could be because it’s got access on public internet connection, or it’s got access because it has gotten into an internal network and therefore can jump to the printer.

Michael:
[5:02] It also has to have affected systems from like with the UDP port 631, as I mentioned earlier. So all of that has to be done also the attacker has to set up a malicious printer which in theory would not be that difficult in terms of using this vulnerability if they know how to do it but the next part does require a little bit more and that is the potential victim has to attempt to print on the malicious printer and otherwise if not all five of these have been met then the final one of the attacker being able to execute the code would not be possible so this is something thing that needs to be addressed. It is a bad thing, so it needs to be fixed. And it is great that it was found, reported, and patched. It shows the value of Open Source working together to improve systems, for example. But overall, the level of press that this has got recently is a little bit overblown. It’s bad. It’s just not that bad. As always, if you want to learn more about this topic or any other topic we

Michael:
[6:03] cover on the show, then you’ll find links in the show The TOR project, a global nonprofit developing tools for online privacy and anonymity, and Tails, a portable operating system that uses the TOR network to protect users from digital surveillance, have joined forces and merged operations.

Michael:
[6:22] Now, incorporating Tails into the TOR project’s structure allows for easier collaboration and better sustainability, reduced overhead, and expanded training. Now, coming together will strengthen both organizations’ ability to protect people worldwide from surveillance and censorship, as they say on their blog post. And they also say that in late 2023, Tails approached the Tor project with an idea of merging operations, and Tails had outgrown its existing structure. By joining the forces, the Tails team can now focus on their core mission of maintaining and improving the Tails OS. while benefiting from the larger organizational structure of the Tor project. Now, this solution is a natural outcome, they say, of the Tor project and Tails’ shared history because 15 years ago, Tails’ first release was announced on a Tor mailing list and Tor and Tails developers have been collaborating closely since 2015 and more recently, Tails has been a sub-guarantee, or no, a sub-grantee of Tor. Yeah.

Michael:
[7:30] Now, Intrigary, I think that’s how you say it, Intrigary team lead to Tails OS says that running Tails as an independent project for 15 years has been a huge effort, but not for the reasons you might expect. The toughest part wasn’t the tech. It was handling critical tasks like fundraising and finances and HR and trying to manage those in different ways. And he says that I’m really relieved that Tails is now under the TORS project wing. in a way it feels like coming home.

Michael:
[8:01] Now, this is really interesting because it’s very hard to manage a project, especially if you’re going to manage a project that has fundraising of any kind. If you have any kind of financial structure, it becomes more and more complicated. And I have done a little bit of that myself. I’ve done small projects and little like fairly bigger projects in terms of contributions and that sort of and handling these kinds of things is a lot. Just for example, if you have a project and you start adding in donations or a Patreon membership or something like that, you start having to deal with taxes on top of your existing structure. And depending on how much you get and depending on what country you’re in, it could be even more complicated because you might be classified as a self-employed person at that point. So there’s a lot to it. So I understand why this would be something you want to do. And I think this is actually going to be very good. I think this merge makes sense and I look forward to what can come from this

Michael:
[8:57] partnership in the future. The beta of Ubuntu 24.10, Oracular Aureole, is now available to download and test. Now this is a reminder because it’s a beta.

Michael:
[9:08] So it’s not the final release and users should hold off from putting it into production.

Michael:
[9:13] And Utkarsh Gupta, hopefully I said that right. If I did not, I apologize. From Canonical says that the beta images are known to be reasonably free of showstopper image build or installer bugs while representing a very recent snapshot of 24.10 that should be representative of the final release. Now, since this is a beta, it’s we will cover the highlights of it and save the in-depth coverage when the final release comes out so the highlights of this release is that gnome 47 is going to be included there’s improvements to the gnome shell gtk4 nautilus file manager has been redesigning for the sidebar and they added global shortcuts protocol for wayland as well as the accent colors although ubuntu has had accent colors for a couple years now, so it’s not that big of a difference for them. But if you’d like to learn more about the latest release of GNOME, check out Twill 278, which was last week where we covered the latest release.

Michael:
[10:13] Now, this release is going to ship with the Linux kernel 6.11, which offers better power efficiency on AMD PCs and extended 4 or ext4 file system performance boost. And it also, well, the biggest thing is that the fact that the 6.11 kernel is being used and not 6.10 because Canonical announced a couple weeks ago that they are changing how they are choosing their kernels. And you can check out Twill 276 for the full coverage of that.

Michael:
[10:43] Now, another big thing is for NVIDIA users will now get a Wayland session by default with an option to switch to X if they want to. This is a very big deal because it means that Wayland isn’t being held back by NVIDIA anymore, which was a problem for many years.

Michael:
[11:01] Now, there’s also a new security app that comes with 24.10, and it also works with a new prompting client permission stuff that are for the Snap apps. If you’d like for more information about that, then check out episode 277 of Twill where we covered that news. Now, something I want to talk about is the 20th anniversary of Ubuntu because Ubuntu 4.10 was the first release of Ubuntu and this 24.10 clearly is a big deal. And there’s going to be, I’m very happy about this, there are going to be anniversary Easter eggs. So they’re going to have a brown color accent, which is great and terrible. It’s great for the fact that they have it. I love that they have it, But also at the same time, it’s not great. It wasn’t great then. It definitely isn’t great now. But I’m happy it’s there for…

Michael:
[11:57] Nostalgia reasons. And also the very first Ubuntu login sound is going to be included in this as an Easter egg, as well as many more.

Michael:
[12:04] And as a long-term Linux user, I’m looking forward to all of these Easter eggs. System76 have announced a new update for the Cosmic Desktop environment with Alpha 2 release. The Cosmic Desktop is a very exciting project and is something that I am 100% going to take a look at and make a video on very soon. But until then, let’s talk about what’s new. The latest release includes more settings pages, the bulk of functionality for the Cosmic Files file manager, some highly requested window management features, and a considerable amount of work for the screen reader support, which is great to see. I think accessibility is a vital thing to keep in mind when they do development, and I love seeing desktops and distros work on that every single time, so fantastic. Fantastic. Now, Cosmic is of course available to test on Pop!OS, but it’s meant to be agnostic, so it’s also available on Fedora, OpenSUSE, Arch, NixOS, SerpentOS, ReduxOS, and Cache. Is it CacheOS or CatchyOS? I don’t know.

Michael:
[13:06] Anyway, so let’s talk about what’s new with the latest Alpha 2. So there’s more settings pages. There’s a power and battery pages that’s been updated with being able to choose between power profiles like extended battery life mode, high performance mode, and balanced mode. Also, you can check the battery levels of your mouse, keyboard, headset, and other wireless devices. The sound settings received some updates with a ability to select input and output devices, adjust volume for each of those on a slider, and choose between a variety of sound profiles like analog stereo duplex, digital stereo output, and more, including pro audio. They’ve also added support for Bluetooth devices for sound, and speaking of Bluetooth, there’s now a Bluetooth settings page where you can connect, disconnect, and forget devices from the new Bluetooth page in settings. Also, display settings have got a big update for X11 applications because there’s a new X11 window application scaling options.

Michael:
[14:08] In the display settings, allowing you to enable sharper X11 apps and also gaming at native display resolutions in the display settings. And the two highly requested features have been added to the window management settings, which are focus follows cursor and cursor follows focus. So focus follows cursor means that moving Moving your mouse across your layout causes the active focused window to switch to whatever window the cursor is overlapping on. You can also customize the time it takes for the mouse to snap to the new window as well. And also the cursor follows focus is where changing window focus with keyboard shortcuts or opening a new window causes your cursor to immediately snap to the top left corner of that window and this makes it easier to find your cursor and saves the trouble of of having to move it to the window. Now I kind of like it to be more in the middle necessarily than the top left, but I guess it depends on.

Michael:
[15:05] The usability and how that works out because I’ll try it out and let you know. So let’s also talk about the file manager because Cosmic Files has been the main focus leading up to Alpha 2.

Michael:
[15:15] There’s a new search bar, there’s a new folder and a grid list view and a sort by option system set up in the header. Also, as far as sorts, you can sort by name, you can do it by type, last modified, date created and size and the recent files added to the sidebar as well and they’ve also got a lot of preview stuff for the various files and so you can do preview files in the context menu before opening and the preview feature is incomplete but it’s in a lot of development and there’s some really cool stuff coming so previews are active by default to elicit feedback during the second alpha so if you find a bug be sure to report it and an option to disable previews will be added for alpha three in the future. So the gallery is a new feature accessible from the preview mode in gallery mode, users can cycle through images in a folder. And it’s a very nice thing to do. So it’s interesting, because usually these preview and gallery systems are done in the individual applications that are like an image viewer, rather than in the file manager itself. So it’s an interesting solution that I’m looking forward to trying out. And also that you can now compress and extract files from the right-click menu as well as extract to a desired location because this is something that was not available in the previous Alpha 1, so I’m really happy to see that. It supports TAR, TBZ, TGZ, TXZ, and ZIP files.

Michael:
[16:45] Support for password-encoded ZIP files will be in the next release of the Alphas, and you can also browse and connect to network drives in in the file manager. Now there’s a lot more to this news, so check the link in the show notes for more details, but also be sure to subscribe to the YouTube channel to check out my overview walkthrough of the Alpha 2, which is coming out, well.

Michael:
[17:09] Fairly soon. We’ll see. It depends on how long it takes me to get to it,

Michael:
[17:14] but in the next day or so, I feel like. Wayland versus X.org is still a topic that is heavily debated, well, not by developers, but by users. And I can’t count the amount of times I’ve heard someone say, why is Wayland taking so long? Or are we ever going to get to Wayland?

Michael:
[17:30] It turns out that this sentiment has some merit behind it. Mike Blumenkrantz, hopefully I said that right, is an Open Source graphics software engineer for Valve. He’s known in the Linux community for his work on the Zinc OpenGL on Vulkan driver code and various Mesa driver optimizations. And now he has decided to take up the task of accelerating development for the Wayland protocols, which if it needs to have that, that’s fantastic. So I’m glad to see someone is wanting to do that. And also at the same time, fellow Valve Linux engineer Joshua Ashton has proposed the Frog protocols to serve as an alternative to Wayland protocols to be able to iterate new Wayland protocols quicker. Now what Mike is proposing is something I think should be absolutely added and that is a new experimental protocol development area. While a protocol is still within the experimental branch there could could be a breaking change that’s allowed and the purpose is to allow for more iterative development before being ready for the staging or stable branches. If this experimental proposal gains adoption, it could help in accelerating new protocol development and get new protocols into the repository faster.

Michael:
[18:47] Also rather surprising to me that this doesn’t already exist. Why would you only have staging and stable? How does it even get into staging? I mean, as a non-developer, I always thought that, you know, it would be standard to have some kind of dev branch before staging, because staging means that it’s getting ready for stable. So, you know, I just assumed it was there. Anyway, for those who are thinking this might be a pipewire dream, get it? Pipe dream? Pipewire? Well, Mike is also now serving as a member of the Weyland Protocol’s governance in the MESA stack, along with Daniel Stone, so there’s a lot of potential here. You can follow what is happening on Mike’s blog as he wrote up a post outlining the Weyland Protocol development headaches as they stand currently and his hopes for helping to address the situation as a whole. And I gotta say, his blog is a fun read.

Michael:
[19:43] Mike’s sense of humor is clearly evident in his writing, and even his domain has some fun to it. So if you want to learn more about this news, you can go to supergoodcode.com.

Michael:
[19:53] If it wasn’t enough for Valve devs to work on improving Wayland, there was an announcement this week that Valve will be entering into a direct collaboration with Arch Linux. So Leventi Poliak, I almost guaranteed I said that wrong, of Arch Linux says that Valve is generously providing backing for two critical projects that will have a huge impact on our distribution, a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers. Now, for those who are unfamiliar, a build service infrastructure refers to a system to build and distribute binary packages in an automatic and reproducible way. This is also sometimes referred to as continuous integration.

Michael:
[20:46] And a secure signing enclave refers to digitally signing executables and scripts to confirm firm the software author and the guarantee that the code has not been altered or corrupted since it was signed. This is also known as simply code signing. LaVenti goes on to say, this opportunity allows us to address some of the biggest outstanding challenges we have been facing for a while. The collaboration will speed up the progress that would otherwise take much longer for us to achieve and will ultimately unblock us from finally pursuing some of our planned endeavors. Now, this is very cool news and shows just how great Valve is for their commitment to Linux. Obviously, this is going to benefit Valve as well, of course, because their SteamOS distro for the Steam Deck is based on Arch Linux. But this is just yet another example of Mr. Newell being good guy Gabe.

Michael:
[21:41] Thanks for watching this episode of This Week in Linux. If you’d like what I do here on this show and want to be kept up to date with what’s going on in the Linux and Open Source world, then be sure to subscribe. And of course, remember to like that smash button. If you’d like to support the show and the TuxDigital Network, then consider becoming a patron by going to tuxdigital.com/membership. We’re going to get a bunch of cool perks like patron only sections of our Discord server and also patron only access to to the live stream that we’re now doing. We’re bringing back, as of this episode, I streamed it live for those who are not here.

Michael:
[22:16] And also, unedited versions of the show will be available fairly soon if you’d want that because they’re much longer than the other versions, but it’s a perk you could have if you’d like. So tuxedigital.com/membership to sign up and get all of that. And also, if you’d like to support the show in other ways, you can do by that by getting the merch that we have at our store. Where we have the Linux is everywhere shirt. We have the This Week in Linux shirt, the TuxDigital shirt that I’m wearing right now. All you gotta do is go to tuxdigital.com/store and get all this and many more like hats, mugs, hoodies, and so much more, tuxdigital.com/store. I’ll see you next week for another episode of Your Source for Linux GNews. Thanks again for watching. I’m Michael Tunnell. I hope you’re doing swell. Be sure to ring that notification bell. And until next time, I bid you farewell.

Leave a Comment

Start the discussion at forum.tuxdigital.com