schmonz.com is a Fediverse instance that uses the ActivityPub protocol. In other words, users at this host can communicate with people that use software like Mastodon, Pleroma, Friendica, etc. all around the world.

This server runs the snac software and there is no automatic sign-up process.

Search results for tag #linux

[?]9to5Linux » 🌐
@9to5linux@floss.social

152 Email Client Updates GMail OAuth to Use PKCE 9to5linux.com/mozilla-thunderb

A screenshot of Mozilla Thunderbird 152 showing the main window and the About Mozilla Thunderbird dialog.

Alt...A screenshot of Mozilla Thunderbird 152 showing the main window and the About Mozilla Thunderbird dialog.

    [?]sigdevel » 🌐
    @sigdevel@infosec.exchange

    Security Advisory: CVE-2025-70102 - NULL Pointer Dereference in dhcpcd parse_option

    Summary
    A crafted dhcpcd configuration input can trigger undefined behavior in the configuration parser by causing `parse_option()` to access a member through a NULL `struct dhcp_opt` pointer.

    The issue is located in `src/if-options.c` in `parse_option()`. During parsing of malformed or unexpected option data, the lookup/parsing path can leave the local DHCP option pointer unset. The affected code then assumes the option pointer is valid and accesses embedded option metadata through it, which results in a NULL pointer member access at `src/if-options.c:1886`.

    CWE:
    CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

    Affected Component:
    ```
    src/if-options.c:1886
    Function: parse_option()
    ```

    Affected Product:
    dhcpcd

    Affected Version:
    The issue was reproduced against dhcpcd commit:
    ```
    2de751b3691642151a4fdc49e444d6b4dc364e98
    ```

    Attack Conditions:
    An attacker must cause dhcpcd to process a crafted configuration input that reaches the vulnerable option parsing path. The issue was reproduced in an instrumented fuzzing build of the dhcpcd configuration reader.

    Impact:
    The vulnerability causes undefined behavior and process termination under the sanitizer build, resulting in Denial of Service. No evidence of arbitrary code execution was observed in the local crash data.

    Fix:
    The issue was fixed in dhcpcd commit:
    ```
    117742d755b591764036dd4218f314f748a3d2b7
    ```
    The fix ensures that the pointed-to local DHCP option entry is non-NULL before it is dereferenced. Users should update to a dhcpcd build containing this commit or later.

    References:
    - Issue: github.com/NetworkConfiguratio
    - Fix: github.com/NetworkConfiguratio
    - PoC: github.com/sigdevel/pocs/blob/

    Credits:
    Alexander A. Shvedov (@sigdevel)

      [?]sigdevel » 🌐
      @sigdevel@infosec.exchange

      Security Advisory: CVE-2025-55663 - NULL Pointer Dereference in GPAC MP4Box Track Descriptor Handling

      Summary:
      Processing a crafted MP4 file containing an unsupported box type with `MP4Box` can trigger a NULL or invalid pointer dereference in `Track_SetStreamDescriptor()`, causing a Denial of Service.

      The `Track_SetStreamDescriptor()` function in `isomedia/track.c` mishandles sample entry pointers when importing malformed MP4 files containing an unknown `svcC` box inside an `av01` parent box. The unsupported box path can leave the relevant sample entry pointer uninitialized or invalid, and the import/update path later dereferences it.

      AddressSanitizer reports a `SEGV` caused by a `READ` memory access at `isomedia/track.c:1677`.

      CWE:
      CWE-476 - NULL Pointer Dereference

      Affected Component:
      ```
      isomedia/track.c:1677
      Function: Track_SetStreamDescriptor()
      ```

      Affected Product:
      MP4Box (GPAC Multimedia Open Source Project)

      Affected Version:
      MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
      ```
      15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac
      ```

      Attack Conditions:
      An attacker supplies a crafted MP4 file containing an unsupported `svcC` box inside an `av01` parent box. The issue can be reproduced locally with:
      ```
      ./MP4Box -add 8_poc.mp4 -new /dev/null -ab 1024
      ```
      No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated workflow invokes MP4Box on attacker-controlled media.

      Impact:
      The immediate observed impact is Denial of Service due to process termination. The local MITRE data notes potential code execution risk; the observed trace shows an invalid read and segmentation fault.

      Fix:
      The issue was fixed in GPAC commit:
      ```
      78c2c9be29a41b38eca2c53d280442088a71dab9
      ```

      Users should update to a GPAC build containing this commit or later. The affected code should validate sample entry pointers and unsupported box handling before changing stream descriptors or importing media configuration.

      References
      - Issue: github.com/gpac/gpac/issues/31
      - PoC: github.com/sigdevel/pocs/blob/
      - Fix: github.com/gpac/gpac/commit/78

      Credits
      Alexander A. Shvedov (@sigdevel)

        [?]sigdevel » 🌐
        @sigdevel@infosec.exchange

        CVE-2025-55661 - Heap Buffer Overflow in GPAC MP4Box Opus Header Parser

        Summary:
        Processing a crafted MP4 file containing malformed Opus audio packets with MP4Box can trigger a heap buffer overflow in `gf_opus_parse_packet_header()`, causing a crash and possible information disclosure from an out-of-bounds heap read.

        The `gf_opus_parse_packet_header()` function in `media_tools/av_parsers.c` does not sufficiently validate the input buffer size before reading Opus packet header fields. When MP4Box parses crafted Opus audio packet data, the parser reads one byte beyond the end of a heap-allocated sample buffer.

        AddressSanitizer reports a heap-buffer-overflow at `media_tools/av_parsers.c:11326`, with a `READ of size 1` immediately after a 3-byte heap region allocated by `Media_GetSample()`.

        Affected Component:
        `media_tools/av_parsers.c:11326`

        Function: `gf_opus_parse_packet_header()`

        Affected Product:
        MP4Box (GPAC Multimedia Open Source Project)

        Affected Version:
        GPAC MP4Box v2.4
        The issue was reproduced on a GPAC build at commit `ff8249a407685d00ceb5f4d2a798b9cad195140e`.

        Attack Conditions:
        An attacker supplies a crafted MP4 file containing malformed Opus audio packet data, such as an invalid TOC code 3 length. The issue can be reproduced with:
        ```
        ./MP4Box 9_poc.mp4 -dxml -out /dev/null
        ```
        No elevated privileges are required. The attack is context-dependent because attacker-controlled media may be processed by MP4Box in automated workflows; manual processing also triggers the issue.

        Impact:
        The observed impact is denial of service due to process termination. Because the bug reads beyond a heap allocation, adjacent heap memory disclosure may also be possible.

        CWE:
        CWE-122 - Heap-based Buffer Overflow

        Fix:
        The issue was fixed in GPAC commit `d523e7190ccdcf2c13a698080f4f30dc933bd34c`.

        Users should update to a GPAC build containing this commit or later. The affected Opus parser should validate the sample buffer length before reading TOC and packet header fields.

        References:
        - Issue: github.com/gpac/gpac/issues/31
        - PoC: github.com/sigdevel/pocs/blob/
        - Fix: github.com/gpac/gpac/commit/d5

        Credits:
        @sigdevel (Alexander A. Shvedov)

          [?]sigdevel » 🌐
          @sigdevel@infosec.exchange

          Security Advisory: CVE-2025-55660 - Stack-based Buffer Overflow in GPAC MP4Box Opus Parser

          Summary:
          Processing a crafted MP4 file containing malformed Opus audio packets with `MP4Box` can trigger a stack-based buffer overflow in `gf_opus_read_length()`, causing a crash and potential memory corruption.

          The `gf_opus_read_length()` function in `media_tools/av_parsers.c` does not sufficiently validate Opus packet sizes before writing packet length information. When MP4Box parses a crafted MP4 file containing malformed non-self-delimited Opus packet data, the parser can write two bytes beyond the bounds of a stack object used by the Opus inspection path.

          AddressSanitizer reports a `stack-buffer-overflow` at `media_tools/av_parsers.c:11140`, with a `WRITE of size 2` overflowing the `pckh` stack object in `gf_inspect_dump_opus_internal()`.

          CWE:
          CWE-121 - Stack-based Buffer Overflow

          Affected Component:
          ```
          media_tools/av_parsers.c:11140
          Function: gf_opus_read_length()
          ```

          Affected Product:
          MP4Box (GPAC Multimedia Open Source Project)

          Affected Version:
          MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
          ```
          ff8249a407685d00ceb5f4d2a798b9cad195140e
          ```

          Attack Conditions:
          An attacker supplies a crafted MP4 file containing malformed Opus audio packets, such as a non-self-delimited Opus packet with an invalid odd length. The issue can be reproduced locally with:
          ```
          ./MP4Box -add 7_poc.mp4 -dxml -out /dev/null
          ```
          No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated workflow invokes MP4Box on attacker-controlled media.

          Impact:
          The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a stack-based buffer overflow with attacker-controlled media input, memory corruption and potential arbitrary code execution cannot be ruled out.

          Fix:
          The issue was fixed in GPAC commit:
          ```
          d523e7190ccdcf2c13a698080f4f30dc933bd34c
          ```

          Users should update to a GPAC build containing this commit or later. The affected Opus parsing code should validate packet sizes and frame-length constraints before writing length fields into packet header structures.

          References:
          - Issue: github.com/gpac/gpac/issues/31
          - PoC: github.com/sigdevel/pocs/blob/
          - Fix: github.com/gpac/gpac/commit/d5

          Credits:
          Alexander A. Shvedov (@sigdevel)

            [?]sigdevel » 🌐
            @sigdevel@infosec.exchange

            Security Advisory: CVE-2025-55652 - Heap Buffer Overflow in GPAC MP4Box VP Configuration Handling

            Processing a crafted MP4 file with malformed VP codec configuration data can trigger a heap buffer overflow in `gf_isom_vp_config_new()`, causing a crash and potential memory corruption.

            Summary:
            The `gf_isom_vp_config_new()` function in `isomedia/avc_ext.c` does not sufficiently validate buffer boundaries when creating VP codec configuration boxes. A crafted MP4 file with malformed VP codec data, including unknown box types such as `D0ncv` in `stsd`, can cause MP4Box to allocate an undersized box structure and then write VP/NALU configuration data beyond the allocation.

            CWE:
            CWE-122 - Heap-based Buffer Overflow

            Affected Component:
            ```
            isomedia/avc_ext.c:1962
            Function: gf_isom_vp_config_new()
            ```

            Affected Product:
            MP4Box (GPAC Multimedia Open Source Project)

            Affected Version:
            MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
            ```
            74fecde32cd477ab097f3e6db55a32b259f3313d
            ```
            Builds before the fix commit `ad3b541b4f38c8f0ef67544509598f8207ea1207` should be considered affected if they contain the vulnerable VP configuration allocation/write path.

            Attack Conditions:
            An attacker supplies a crafted MP4 file containing malformed VP codec configuration data. The issue can be reproduced locally with:
            ```
            ./MP4Box -dash 10000 ./18_poc.mp4
            ```
            No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated media workflow invokes MP4Box on attacker-controlled input.

            Impact:
            The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is an out-of-bounds heap write, memory corruption and potential arbitrary code execution cannot be ruled out.

            Fix / mitigation status:
            The issue was fixed in GPAC commit:
            ```
            ad3b541b4f38c8f0ef67544509598f8207ea1207
            ```

            References:
            - Issue: github.com/gpac/gpac/issues/32
            - PoC: github.com/sigdevel/pocs/blob/
            - Fix: github.com/gpac/gpac/commit/ad

            Credit:
            @sigdevel (Alexander A. Shvedov)

              [?]sigdevel » 🌐
              @sigdevel@infosec.exchange

              CVE-2025-55650 - Heap Use-After-Free in GPAC MP4Box SVG Node Handling

              Summary
              Processing a crafted MP4 file with `MP4Box -svg` can trigger a heap use-after-free in `gf_svg_node_del()`, causing a crash and possible memory corruption.

              The `gf_svg_node_del()` function in `scenegraph/svg_types.c` does not ensure that freed SVG node memory is not accessed again during scene graph cleanup. When MP4Box parses a crafted MP4 file through the MPEG-4 LASeR/SVG scene dump path, an SVG node is freed and then dereferenced again.

              AddressSanitizer reports a heap-use-after-free at `scenegraph/svg_types.c:107`, with a `READ of size 8` from a 24-byte heap region that was previously freed in `gf_svg_node_del()` at `scenegraph/svg_types.c:126` and allocated by `gf_svg_create_node()` at `scenegraph/svg_types.c:65`.

              Affected Component
              `scenegraph/svg_types.c:107`

              Function: `gf_svg_node_del()`

              Affected Product
              MP4Box (GPAC Multimedia Open Source Project)

              Affected Version
              GPAC MP4Box v2.4.

              The issue was reproduced on a GPAC build at commit `46be5f928660530d5332cd2f1d177208737558ef`.

              Attack Conditions
              An attacker supplies a crafted MP4 file that reaches the SVG/LASeR scene parsing path. The issue can be reproduced with:

              ```
              ./MP4Box -svg 10_poc.mp4
              ```

              No elevated privileges are required. User interaction is required when a victim manually processes the malicious MP4 file; automated workflows that invoke MP4Box on attacker-controlled media may also trigger the issue.

              Impact
              The observed impact is denial of service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution cannot be ruled out.

              CWE
              CWE-416 - Use After Free

              Fix
              The issue was fixed in GPAC commit `6be6f62e2a079ebccf3a9e57c27787fd16e645de`.

              Users should update to a GPAC build containing this commit or later. The affected scene graph cleanup code should prevent use of freed SVG nodes and ensure node lifetime and registration state are handled consistently during scene reset and deletion.

              References
              - Issue: github.com/gpac/gpac/issues/31
              - PoC: github.com/sigdevel/pocs/blob/
              - Fix: github.com/gpac/gpac/commit/6b

              Credits
              @sigdevel (Alexander A. Shvedov)

                [?]sigdevel » 🌐
                @sigdevel@infosec.exchange

                Security Advisory: CVE-2025-55649 - NULL Pointer Dereference in GPAC MP4Box ESD Mapping

                Processing a crafted MP4 file with corrupted Elementary Stream Descriptor data can trigger a NULL pointer dereference in `gf_media_map_esd()`, causing a Denial of Service.

                Summary:
                The `gf_media_map_esd()` function in `media_tools/isom_tools.c` does not verify that `esd->URLString` is non-NULL before passing it to `strlen()`. When MP4Box processes a crafted MP4 file containing corrupted ESD data during fragmentation setup, `URLString` can be NULL and the process crashes while reading from address `0x000000000000`.

                AddressSanitizer reports a `SEGV` in `strlen()`, with the GPAC call site at `media_tools/isom_tools.c:1359`.

                CWE:
                CWE-476 - NULL Pointer Dereference

                Affected Component:
                ```
                media_tools/isom_tools.c:1359
                Function: gf_media_map_esd()
                ```

                Affected Product:
                MP4Box (GPAC Multimedia Open Source Project)

                Affected Version:
                MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
                ```
                09e7063ed0a13b4cee9a180a56dcc21e9f9ade07
                ```

                Attack Conditions:
                An attacker supplies a crafted MP4 file containing corrupted ESD data. The issue can be reproduced locally with:
                ```
                ./MP4Box -frag 1500 11_poc.mp4
                ```
                No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated workflow invokes MP4Box on attacker-controlled media.

                Impact:
                The immediate observed impact is Denial of Service due to process termination. The crash is a NULL pointer dereference on the zero page; no evidence of arbitrary code execution was observed.

                Fix / mitigation status:
                The local CVE/MITRE data references GPAC fix commit:
                ```
                10c16d54659b1b82dd49573dfeacfa9a5627a115
                ```
                Users should update to a GPAC build containing this commit or later. The affected code should validate `esd`, `esd->URLString`, and related ESD fields before string operations.

                References:
                - Issue: github.com/gpac/gpac/issues/31
                - PoC: github.com/sigdevel/pocs/blob/
                - Fix: github.com/gpac/gpac/commit/10

                Credit:
                @sigdevel (Alexander A. Shvedov)

                  [?]sigdevel » 🌐
                  @sigdevel@infosec.exchange

                  Security Advisory: CVE-2025-55648 - Heap Buffer Overflow in GPAC MP4Box Opus Packet Parser

                  Processing a crafted MP4 file containing corrupted Opus sample-size data with `MP4Box` can trigger a heap buffer overflow in `gf_opus_parse_packet_header()`, causing a crash and potential memory corruption impact.

                  Summary:
                  The `gf_opus_parse_packet_header()` function in `media_tools/av_parsers.c` does not sufficiently validate the input buffer length before parsing Opus packet headers. When MP4Box processes a crafted MP4 file with corrupted sample-size (`stsz`) data, the parser reads beyond the bounds of a heap-allocated sample buffer.
                  AddressSanitizer reports a `heap-buffer-overflow` at `media_tools/av_parsers.c:11297`, with a `READ of size 1` 1242 bytes past a 32-byte heap region allocated by `Media_GetSample()`.

                  CWE:
                  CWE-122 - Heap-based Buffer Overflow

                  Affected Component:
                  ```
                  media_tools/av_parsers.c:11297
                  Function: gf_opus_parse_packet_header()
                  ```

                  Affected Product:
                  MP4Box (GPAC Multimedia Open Source Project)

                  Affected Version:
                  MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
                  ```
                  61bbfd2e89553373ba3449b8ec05b5f098d732a5
                  ```

                  Attack Conditions:
                  An attacker supplies a crafted MP4 file containing corrupted Opus sample-size (`stsz`) data. The issue can be reproduced locally with:
                  ```
                  ./MP4Box 12_poc.mp4 -dxml
                  ```
                  No elevated privileges are required. The CVE text describes the attack as network/context-dependent because attacker-controlled media may be processed by MP4Box in automated workflows; manual processing also triggers the issue.

                  Impact:
                  The immediate observed impact is Denial of Service due to process termination. Because the bug reads beyond a heap allocation, information disclosure may be possible. The local MITRE data also notes potential arbitrary code execution risk, though the observed ASAN trace is an out-of-bounds read.

                  Fix / mitigation status:
                  The local CVE/MITRE data references GPAC fix commit:
                  ```
                  cea49f684dbc4d53ecd6c76a9623838802a68d88
                  ```

                  Users should update to a GPAC build containing this commit or later. The affected Opus parser should validate sample buffer length and `stsz`-derived packet sizes before reading packet header fields.

                  References:
                  - Issue: github.com/gpac/gpac/issues/31
                  - PoC: github.com/sigdevel/pocs/blob/
                  - Fix: github.com/gpac/gpac/commit/ce

                  Credit:
                  @sigdevel (Alexander A. Shvedov)

                    [?]sigdevel » 🌐
                    @sigdevel@infosec.exchange

                    Security Advisory: CVE-2025-55647 - Integer Overflow in GPAC MP4Box PSSH Handling

                    Processing a crafted MP4 file with malformed Protection System Specific Header (PSSH) data can trigger an integer overflow and uncontrolled allocation in `mp4_mux_cenc_insert_pssh()`, causing Denial of Service through memory exhaustion.

                    Summary:
                    The `mp4_mux_cenc_insert_pssh()` function in `filters/mux_isom.c` does not sufficiently validate PSSH sizes before allocating memory. A crafted MP4 file can set PSSH-related fields such as `kid_count` or `dataSize` to very large values. This can overflow the buffer size calculation and cause MP4Box to attempt a very large allocation during DASH/mux processing.

                    AddressSanitizer reports an out-of-memory condition at `filters/mux_isom.c:4326`, where `realloc()` attempts to allocate `0xe40000100` bytes.

                    CWE:
                    CWE-190 - Integer Overflow or Wraparound

                    Affected Component:
                    ```
                    filters/mux_isom.c:4326
                    Function: mp4_mux_cenc_insert_pssh()
                    ```

                    Affected Product:
                    MP4Box (GPAC Multimedia Open Source Project)

                    Affected Version:
                    MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
                    ```
                    e95f3064d846e4606276fff111e0f97df1576a04
                    ```
                    Builds before the fix commit `2a1f638534cddf511a7ba06618bff9d587141792` should be considered affected if they contain the vulnerable PSSH allocation path.

                    Attack Conditions:
                    An attacker supplies a crafted MP4 file containing malformed PSSH/CENC metadata. The issue can be reproduced locally with:
                    ```
                    ./MP4Box -dash 10000 ./15_poc.mp4
                    ```
                    No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated media workflow invokes MP4Box on attacker-controlled input.

                    Impact:
                    The immediate observed impact is Denial of Service due to memory exhaustion and process termination. Because the root cause is an integer overflow in allocation-size calculation, memory corruption and potential arbitrary code execution cannot be ruled out.

                    Fix / mitigation status:
                    The issue was fixed in GPAC commit:
                    ```
                    2a1f638534cddf511a7ba06618bff9d587141792
                    ```

                    References:
                    - Issue: github.com/gpac/gpac/issues/32
                    - PoC: github.com/sigdevel/pocs/blob/
                    - Fix: github.com/gpac/gpac/commit/2a
                    - Related fix/reference: github.com/gpac/gpac/commit/31

                    Credit:
                    @sigdevel (Alexander A. Shvedov)

                      [?]sigdevel » 🌐
                      @sigdevel@infosec.exchange

                      Security Advisory: CVE-2025-55644 - Use-After-Free in GPAC MP4Box

                      Processing a crafted MP4 file with invalid BIFS GlobalQuantizer commands causes gf_node_get_tag() to access a freed 192-byte QuantizationParameter node at scenegraph/base_scenegraph.c:1263, resulting in a heap use-after-free and crash.

                      Summary:
                      During MPEG-4 BIFS scene decoding, BM_ParseGlobalQuantizer() in bifs/memory_decoder.c first calls gf_node_unregister() at line 176 to release a QuantizationParameter node, freeing the 192-byte heap region. Without clearing the stale pointer, the function then calls gf_node_get_tag() on the same address at line 181, performing a READ of 8 bytes at offset 0 into the freed region. A crafted MP4 containing invalid GlobalQuantizer BIFS commands, corrupted ODF descriptors, and malformed box types (PEC1808, fre) reliably triggers this free-then-use sequence through the -svg dump path.

                      CWE:
                      CWE-416 - Use After Free

                      Affected Component:
                      ```
                      scenegraph/base_scenegraph.c:1263
                      ```

                      Affected Product:
                      MP4Box (GPAC Multimedia Open Source Project)

                      Affected Version:
                      MP4Box 2.4 and earlier; tested at commit f5b7cdc63a7f3269040778c5431a8f6c310bc9f3

                      Attack Conditions:
                      An attacker supplies a locally accessible crafted MP4 file embedding invalid BIFS scene data. The victim runs MP4Box -svg on the file to trigger BIFS scene parsing. No elevated privileges are required.

                      Impact:
                      The use-after-free causes a fatal crash (Denial of Service). Use-after-free vulnerabilities can allow attackers to control freed heap memory contents and potentially redirect execution flow; code execution cannot be excluded.

                      Fix / mitigation status:
                      The issue was fixed in GPAC commit:
                      ```
                      63eccc33d4a2b731ebb31581ff5673a2c0b13ad4
                      ```
                      Users should update to a GPAC build containing this commit or later.

                      References:
                      - Issue: github.com/gpac/gpac/issues/32
                      - PoC: github.com/sigdevel/pocs/blob/
                      - Fix: github.com/gpac/gpac/commit/63

                      Credit:
                      @sigdevel (Alexander A. Shvedov)

                        [?]sigdevel » 🌐
                        @sigdevel@infosec.exchange

                        Security Advisory: CVE-2025-55645 - Heap Buffer Overflow in GPAC MP4Box PSSH Copy

                        Processing a crafted MP4 file with malformed PSSH data can trigger a heap buffer overflow in `gf_cenc_set_pssh()`, causing a crash and potential memory disclosure or memory corruption impact.

                        Summary:
                        The `gf_cenc_set_pssh()` function in `isomedia/drm_sample.c` does not sufficiently validate the size of PSSH data before copying it into a heap buffer. A crafted MP4 file can declare an oversized PSSH payload, causing MP4Box to copy a very large amount of data from a 512-byte heap allocation during DASH/CENC processing.

                        CWE:
                        CWE-120 - Buffer Copy without Checking Size of Input

                        Affected Component:
                        ```
                        isomedia/drm_sample.c:982
                        Function: gf_cenc_set_pssh()
                        ```

                        Affected Product:
                        MP4Box (GPAC Multimedia Open Source Project)

                        Affected Version:
                        MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The local MITRE workbook also lists `2.5-DEV-rev228-g11067ea92-master` as affected. The issue was reproduced on a GPAC build at commit:

                        ```
                        e95f3064d846e4606276fff111e0f97df1576a04
                        ```

                        Builds before the fix commit `df0c81722847238659a6beb0feab2c1ecd05c020` should be considered affected if they contain the vulnerable PSSH copy path.

                        Attack Conditions:
                        An attacker supplies a crafted MP4 file containing malformed PSSH/CENC metadata with an oversized declared payload. The issue can be reproduced locally with:

                        ```
                        ./MP4Box -dash 10000 ./16_poc.mp4
                        ```

                        No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated media workflow invokes MP4Box on attacker-controlled input.

                        Impact:
                        The immediate observed impact is Denial of Service due to process termination. Because the bug performs an oversized heap read during `memcpy()`, information disclosure may be possible. Memory corruption and potential arbitrary code execution cannot be ruled out.

                        Fix / mitigation status:
                        The issue was fixed in GPAC commit:

                        ```
                        df0c81722847238659a6beb0feab2c1ecd05c020
                        ```

                        Users should update to a GPAC build containing this commit or later. The affected code should validate PSSH payload sizes and destination buffer capacity before copying PSSH data.

                        References:
                        - Issue: github.com/gpac/gpac/issues/32
                        - PoC: github.com/sigdevel/pocs/blob/
                        - Fix: github.com/gpac/gpac/commit/df

                        Credit:
                        @sigdevel (Alexander A. Shvedov)

                          [?]R.L. Dane :Debian: :OpenBSD: :FreeBSD: 🍵 :MiraLovesYou: [he/him/my good fellow] » 🌐
                          @rl_dane@polymaths.social

                          @funkylab

                          For #FreeBSD (on that same box), I found a shell script that uses sysctl to get the ACPI name for the battery, and runs acpi_call from ports to set the thresholds, which survives a reboot.
                          On #OpenBSD, I believe you set the thresholds directly through sysctl.
                          On #Linux, you set it with something like echo 80 > /sys/class/power_supply/BAT0/charge_stop_threshold

                            [?]sigdevel » 🌐
                            @sigdevel@infosec.exchange

                            Security Advisory: CVE-2025-55643 - NULL Pointer Dereference in GPAC MP4Box TrackWriter Handling

                            Processing a crafted MP4 file during DASH segmentation can trigger a NULL pointer dereference in MP4Box TrackWriter handling, causing a Denial of Service.

                            Summary:
                            The DASH fragmentation path in `filters/mux_isom.c` does not sufficiently validate a `TrackWriter` pointer before accessing its members. A crafted MP4 file with malformed metadata boxes can cause the PID-to-track setup to fail, leaving the `TrackWriter` pointer NULL. The muxer then performs member access through the NULL pointer.

                            CWE:
                            CWE-476 - NULL Pointer Dereference

                            Affected Component:
                            ```
                            filters/mux_isom.c:6621
                            Function/path: TrackWriter handling during fragmented MP4 muxing
                            ```

                            Affected Product:
                            MP4Box (GPAC Multimedia Open Source Project)

                            Affected Version:
                            MP4Box versions 2.4 and earlier are affected according to the prepared CVE data. The issue was reproduced on a GPAC build at commit:
                            ```
                            74fecde32cd477ab097f3e6db55a32b259f3313d
                            ```
                            Builds before the fix commit `ad3b541b4f38c8f0ef67544509598f8207ea1207` should be considered affected if they contain the vulnerable TrackWriter handling path.

                            Attack Conditions:
                            An attacker supplies a crafted MP4 file containing malformed metadata boxes, including malformed `mvcC` / `stsz` data. The issue can be reproduced locally with:
                            ```
                            ./MP4Box -dash 10000 ./17_poc.mp4
                            ```
                            No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated media workflow invokes MP4Box on attacker-controlled input.

                            Impact:
                            The immediate observed impact is Denial of Service due to process termination. No evidence of arbitrary code execution was observed.

                            Fix / mitigation status:
                            The issue was fixed in GPAC commit:
                            ```
                            ad3b541b4f38c8f0ef67544509598f8207ea1207
                            ```
                            Users should update to a GPAC build containing this commit or later. The affected muxing path should validate `TrackWriter` before member access and fail cleanly when track initialization fails.

                            References:
                            - Issue: github.com/gpac/gpac/issues/32
                            - PoC: github.com/sigdevel/pocs/blob/
                            - Fix: github.com/gpac/gpac/commit/ad

                            Credit:
                            @sigdevel (Alexander A. Shvedov)

                              [?]sigdevel » 🌐
                              @sigdevel@infosec.exchange

                              Security Advisory: CVE-2025-55642 - Divide by Zero in GPAC MP4Box AVI Demuxer

                              Processing a crafted AVI-like media file with `MP4Box` can trigger a division by zero in `avidmx_process()`, causing a floating-point exception and Denial of Service.

                              Summary:
                              The `avidmx_process()` function in `filters/dmx_avi.c` does not sufficiently validate frame-count metadata before using it as a divisor during bitrate computation. When MP4Box processes a specially crafted input with invalid AVI frame metadata, such as a `0/256` frame declaration, the DASH processing path attempts to compute bitrate from the bitstream and divides by zero.
                              AddressSanitizer reports an `FPE` at `filters/dmx_avi.c:639`.

                              CWE:
                              CWE-369 - Divide by Zero

                              Affected Component:
                              ```
                              filters/dmx_avi.c:639
                              Function: avidmx_process()
                              ```

                              Affected Product:
                              MP4Box (GPAC Multimedia Open Source Project)

                              Affected Version:
                              GPAC MP4Box v2.4 is affected according to the CVE request data. The issue was reproduced on a GPAC build at commit:
                              ```
                              f87b30611380e4dcd03cd4dd9ac553c0ec336826
                              ```

                              Builds before the fix commit `cea49f684dbc4d53ecd6c76a9623838802a68d88` should be considered affected if they contain the vulnerable AVI demuxer bitrate computation path.

                              Attack Conditions:
                              An attacker supplies a crafted AVI-like media file with invalid frame metadata. The issue is triggered while processing the file through MP4Box DASH segmentation, for example with a `-dash` command using `14_poc.mp4`.
                              No elevated privileges are required. User interaction is required when the victim manually processes the malicious media file, or an automated workflow invokes MP4Box on attacker-controlled input.

                              Impact:
                              The immediate observed impact is Denial of Service due to an uncaught floating-point exception and process termination. No evidence of arbitrary code execution was observed.

                              Fix / mitigation status:
                              The issue was fixed in GPAC commit:
                              ```
                              cea49f684dbc4d53ecd6c76a9623838802a68d88
                              ```
                              Users should update to a GPAC build containing this commit or later. The affected code should validate `num_frames` and related AVI metadata before using frame counts in bitrate calculations.

                              References:
                              - Issue: github.com/gpac/gpac/issues/31
                              - PoC: github.com/sigdevel/pocs/blob/
                              - Fix: github.com/gpac/gpac/commit/ce

                              Credit:
                              @sigdevel (Alexander A. Shvedov)

                                [?]sigdevel » 🌐
                                @sigdevel@infosec.exchange

                                Security Advisory: CVE-2025-55641 - NULL Pointer Dereference in GPAC MP4Box Sample Info Copy

                                Processing a crafted MP4 file with corrupted Sample Auxiliary Information metadata can trigger a NULL pointer dereference in `gf_isom_copy_sample_info()`, causing a Denial of Service and potential memory corruption impact.

                                Summary:
                                The `gf_isom_copy_sample_info()` function in `isomedia/isom_write.c` does not sufficiently validate pointers after handling invalid Sample Auxiliary Information (SAI) metadata. A crafted MP4 file can provide corrupted SAI values, such as an invalid `sai_samples` count, causing memory allocation or merge handling to fail. The import path later attempts to copy sample information from a NULL pointer.

                                AddressSanitizer reports a `SEGV` caused by a `READ` memory access at address `0x000000000000`, with the crash occurring at `isomedia/isom_write.c:8164`.

                                CWE:
                                CWE-476 - NULL Pointer Dereference

                                Affected Component:
                                ```
                                isomedia/isom_write.c:8164
                                Function: gf_isom_copy_sample_info()
                                ```

                                Affected Product:
                                MP4Box (GPAC Multimedia Open Source Project)

                                Affected Version:
                                MP4Box versions 2.4 and earlier are affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
                                ```
                                f87b30611380e4dcd03cd4dd9ac553c0ec336826
                                ```

                                Attack Conditions:
                                An attacker supplies a crafted MP4 file containing corrupted SAI metadata. The issue can be reproduced locally with:
                                ```
                                ./MP4Box -add 13_poc.mp4 -new /dev/null -split-size 500
                                ```
                                No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated media workflow invokes MP4Box on attacker-controlled input.

                                Impact:
                                The immediate observed impact is Denial of Service due to process termination. The local CVE/MITRE data also marks potential code execution impact; the observed ASAN trace is a NULL pointer read.

                                Fix / mitigation status:
                                The issue was fixed in GPAC commit:
                                ```
                                e38d24b7e3cbdc24e70f0437bf390ac3f2080b52
                                ```
                                Users should update to a GPAC build containing this commit or later. The affected code should validate SAI metadata, allocation results, and sample-info pointers before copying sample information.

                                References:
                                - Issue: github.com/gpac/gpac/issues/31
                                - PoC: github.com/sigdevel/pocs/blob/
                                - Fix: github.com/gpac/gpac/commit/e3

                                Credit:
                                @sigdevel (Alexander A. Shvedov)

                                  [?]Linux Easy » 🌐
                                  @linuxeasy@mastodon.uno

                                  Mozilla Firefox 152 porta nuove funzioni per produttività, personalizzazione e compatibilità web. Scopri tutte le novità del browser open source più famoso del web.

                                  linuxeasy.org/mozilla-firefox-

                                    Amélie boosted

                                    [?]The Unknown Universe » 🌐
                                    @unknownuniverse@unkn.uk

                                    🚨 Atomic Arch: AUR Malware Audit Tool

                                    The recent "Atomic Arch" campaign compromised over 1,500 AUR packages. If you synced using yay or paru between June 10-12, you might have pulled a Trojan targeting your SSH keys and API tokens.

                                    I’ve built a privacy-focused audit tool to help you check your system.

                                    ✅ Privacy First: All processing happens locally in your browser.
                                    ✅ Live Data: Fetches the threat list directly from Arch security servers.
                                    ✅ No Trackers: Just the tool and the data you need.

                                    Audit your system here:
                                    https://the.unknown-universe.co.uk/privacy-security/atomic-arch-audit-tool/

                                    Stay paranoid.

                                    #ArchLinux #AUR #Linux #CyberSecurity #AtomicArch #FOSS #Privacy #InfoSec

                                      [?]PieR F. » 🌐
                                      @GazouilleurFou@diaspodon.fr

                                      Quel programme sous pour vérifier le d'un important (3Go) téléchargement ?
                                      J'ai fait ça il y a qq années et ça reste dans mon souvenir comme très compliqué.
                                      Merci d'avance.

                                        [?]9to5Linux » 🌐
                                        @9to5linux@floss.social

                                        152 Is Now Available for Download with Experimental JPEG XL Support and Revamped Settings, Here’s What’s New 9to5linux.com/mozilla-firefox-

                                        A screenshot of Firefox 152 showing the main window while browsing the 9to5linux.com website and the About Mozilla Firefox dialog.

                                        Alt...A screenshot of Firefox 152 showing the main window while browsing the 9to5linux.com website and the About Mozilla Firefox dialog.

                                          Raimo boosted

                                          [?]Diego Córdoba 🇦🇷 » 🌐
                                          @d1cor@mstdn.io

                                          "Linux terminal for beginners"

                                          linux terminal for beginners, a cat image with some refs: head, tail an cat.

                                          Alt...linux terminal for beginners, a cat image with some refs: head, tail an cat.

                                            [?]Hyde 📷 🖋 :debian: » 🌐
                                            @hyde@lazybear.social

                                            So far for June's carnival, I got only ... @rl_dane 😔

                                            Any user that would like to write about it?

                                              [?]Adam » 🌐
                                              @adamsdesk@fosstodon.org

                                              5 Easy Steps To Crop An Image in Inkscape

                                              Step-by-step instructions on how to use Inkscape to crop an image whether you are a beginner or advanced user.

                                              adamsdesk.com/posts/inkscape-c

                                              An elegant serif title of 'Inkscape Crop Images' stands next to a Inkscape logo shape cropped out of a blue coloured mountain landscape.

                                              Alt...An elegant serif title of 'Inkscape Crop Images' stands next to a Inkscape logo shape cropped out of a blue coloured mountain landscape.

                                                [?]David Zaslavsky » 🌐
                                                @diazona@techhub.social

                                                Sure everyone knows you can compile a .c file into a .so library

                                                TIL you can compile a .so library back into a .c file

                                                🤯

                                                Two gcc commands, one compiling autofile/_move.c into autofile/_move.so, immediately followed by one compiling autofile/_move.so into autofile/_move.c. The second command is shown to complete successfully (with code 0).

                                                Alt...Two gcc commands, one compiling autofile/_move.c into autofile/_move.so, immediately followed by one compiling autofile/_move.so into autofile/_move.c. The second command is shown to complete successfully (with code 0).

                                                  #netbsd boosted

                                                  [?]vermaden » 🌐
                                                  @vermaden@mastodon.social

                                                  Latest 𝗩𝗮𝗹𝘂𝗮𝗯𝗹𝗲 𝗡𝗲𝘄𝘀 - 𝟮𝟬𝟮𝟲/𝟬𝟲/𝟭𝟱 (Valuable News - 2026/06/15) available.

                                                  vermaden.wordpress.com/2026/06

                                                  Past releases: vermaden.wordpress.com/news/

                                                    [?]vermaden » 🌐
                                                    @vermaden@mastodon.bsd.cafe

                                                    Latest 𝗩𝗮𝗹𝘂𝗮𝗯𝗹𝗲 𝗡𝗲𝘄𝘀 - 𝟮𝟬𝟮𝟲/𝟬𝟲/𝟭𝟱 (Valuable News - 2026/06/15) available.

                                                    vermaden.wordpress.com/2026/06

                                                    Past releases: vermaden.wordpress.com/news/

                                                      [?]amen zwa, esq. » 🌐
                                                      @AmenZwa@mathstodon.xyz

                                                      The periodic between 1960s and 1990s was the Cambrian Explosion of architecture and .

                                                      A single manufacturer, DEC, alone, had RSTS, TOPS-10, TOPS-20, RSX-11, VMS, Ultrix, OSF/1, and several other OSs I no longer recall. And DEC had a slew of different CPU architectures, and they each ran many other OSs made by various software companies. Also, there were loads of other hardware makers, large and small, each with a flock of different CPUs and a gaggle of different OSs.

                                                      In those days, we bitterly protested against this excess of “diversity”, on the grounds of software incompatibility, development impedance, and investment cost.

                                                      Finally, we now have that much-vaunted “uniformity” we always desired: Slackware Linux, Debian Linux, Fedora Linux, SUSE Linux, Gentoo Linux, Ubuntu Linux, Arch Linux, NixOS Linux, SELinux, …, @$&*, and they all run on the .

                                                      😞 😖

                                                        agc boosted

                                                        [?]Liam @ GamingOnLinux 🐧🎮 » 🌐
                                                        @gamingonlinux@mastodon.social

                                                        [?]philip » 🌐
                                                        @philip@social.wittamore.fr

                                                        / acpi_ibm vs. thinkpad_acpi

                                                        Yep well, it's as I thought. Checking the source code I found that acpi_ibm only accepts a small subset of thinkpad events, and MICMUTE isn't one of them, contrary to Linux's thinkpad_acpi which accepts a far larger set (All?) including MICMUTE.

                                                        FYI, acpi_ibm accepts just these keyboard events:

                                                        LCD_BACKLIGHT
                                                        SUSPEND_TO_RAM
                                                        BLUETOOTH
                                                        SCREEN_EXPAND
                                                        SUSPEND_TO_DISK
                                                        BRIGHTNESS_UP
                                                        BRIGHTNESS_DOWN
                                                        THINKLIGHT
                                                        ZOOM
                                                        VOLUME_UP
                                                        VOLUME_DOWN
                                                        MUTE
                                                        ACCESS_IBM_BUTTON

                                                          agc boosted

                                                          [?]Terefang74 » 🌐
                                                          @terefang74@mastodon.social

                                                          Just finished a PoC if i could bootstrap pkgsrc on my self-assembled minimal docker container.

                                                          Ingredients: skarnet-musl-toolchain. busybox-static, toybox-static, gawk, gsed, gtar, gmake, libz, libexpat, libxcrypt, libbsd, libmd, musl-{bsdcompat,fts,obstack,rpmatch}, and finally pkgsrc from netbsd.

                                                          after a few ins and outs, and learning the ropes, bootstrapping worked flawlessly.

                                                          shout out for the developers for their good work!

                                                            [?]Michael Simons » 🌐
                                                            @rotnroll666@mastodon.social

                                                            Got my hands on an old Mac Mini 6,1 from 2012. First time ever attempted to install on hardware… Vanilla , everything, including wifi when selecting proprietary firmware… just being so much faster than the latest MacOS update that machine received. Blown away.

                                                              benz boosted

                                                              [?]Christian Kruse » 🌐
                                                              @cjk@chaos.social

                                                              🚀 0.7.0 is out!

                                                              - Visual commit graph with color-coded per-branch colors
                                                              - Greatly overhauled layout
                                                              - Rename detection in diffs
                                                              - Drop multiple commits at once
                                                              - Show word-based diffs more often
                                                              - Toggle recursing into untracked directories
                                                              - Shortcut (Ctrl+D) to switch between staged & unstaged

                                                              Plus many performance improvements & lots of fixes.

                                                              Flathub: flathub.org/apps/de.wwwtech.gi
                                                              macOS: gitlab.com/dehesselle/gitte_ma
                                                              Repo: codeberg.org/ckruse/Gitte

                                                              Git GUI in a three-pane layout showing a visual commit graph with branches and tags, a selected release commit, and a detailed diff view of the file changes introduced by that commit

                                                              Alt...Git GUI in a three-pane layout showing a visual commit graph with branches and tags, a selected release commit, and a detailed diff view of the file changes introduced by that commit

                                                              Git GUI showing a repository changes view with modified and new files, branch and tag navigation, and a side-by-side diff editor highlighting staged changes in a Markdown documentation file

                                                              Alt...Git GUI showing a repository changes view with modified and new files, branch and tag navigation, and a side-by-side diff editor highlighting staged changes in a Markdown documentation file

                                                                [?]nixCraft 🐧 » 🌐
                                                                @nixCraft@mastodon.social

                                                                Idle power usage of my desktop on linux is significantly lower than on windows

                                                                reddit.com/r/linux/comments/1u

                                                                Is anyone surprised by this?

                                                                  [?]Graham Perrin » 🌐
                                                                  @grahamperrin@mastodon.bsd.cafe

                                                                  RE: floss.social/@VolkerKrause/116

                                                                  "… Regardless of how this will eventually materialize, the direction is clear, Android isn’t going to be a viable long-term platform for FOSS software, not even in its Google-free form. I have mostly considered it a stop-gap solution until Linux on the phone is ready anyway, so this is another reason to increase the effort into that direction."

                                                                  volkerkrause.eu/2026/06/13/kde

                                                                  cc @lproven

                                                                    [?]Pier-Luc Brault [He/Him] » 🌐
                                                                    @plbrault@fosstodon.org

                                                                    I distro-hopped to openSUSE Tumbleweed and I'm liking it so far.

                                                                      [?]jbz » 🌐
                                                                      @jbz@indieweb.social

                                                                      [?]TuxJam Podcast » 🌐
                                                                      @tuxjam@podcasts.social

                                                                      TuxJam 130 – Office Therapy is out. @mralc, @mcnalu, @thelovebug and @kevie take a look at the Collabora Office Suite and RawTherapee. They also talk about their recent trip to in Manchester. Along with the usual mix of tuxjam.otherside.network/tuxja

                                                                        [?]Arch Linux :archlinux: » 🌐
                                                                        @archlinux@fosstodon.org

                                                                        #netbsd boosted

                                                                        [?]Dæmon S. » 🌐
                                                                        @dsilverz@catodon.rocks

                                                                        Is it a good thing or a bad thing that I haven neither pacman -Syu nor yay -Syu my Arch (btw) setup since... checks notes... 2021? (Yes, it's this out-of-date; actually, I did update specific packages such as librewolf using makepkg -si twice this year, but I didn't update anything else, let alone updating the repositories).

                                                                        Thinking on the bright side, I wasn't affected by the xz thing, for example.

                                                                        When... If... I get a new machine, and/or a new spinning HDD for my laptop, I'll likely ditch Linux altogether and go with illumos, OpenIndianna, or whatever niche OS esoteric and unknown enough not to be a target of AI-assisted exploits (even BSD-based OSes don't seem like an alternative, as I recall seeing something linking some SomethingsomethingBSD to newly-discovered exploits; luckily, illumos is overly obscure).

                                                                        Or, to quote the meme, "I'm going to build my own, with..."

                                                                        Screenshot of a very recent (today's) Discourse thread "400+ AUR packages compromised with infostealer and rootkit".

                                                                        Alt...Screenshot of a very recent (today's) Discourse thread "400+ AUR packages compromised with infostealer and rootkit".

                                                                          [?]Lioh » 🌐
                                                                          @Lioh@social.anoxinon.de

                                                                          I was able to make my Pixel 3a Linux Phone with postmarketOS GNOME look like my first iPhone.

                                                                          Ich habe es geschafft mein Linux-Handy mit postmarketOS GNOME so aussehen zu lassen, wie mein allererstes iPhone.

                                                                          Thanks to the help of @krafting who is making all this possible!

                                                                          Alt...My Pixel 3a running postmarketOS 26.04 with GNOME and is using the iGTK Theme which makes it look like an old iPhone.

                                                                            [?]saiki 🚒💨:manjaro: :debian: » 🌐
                                                                            @saiki@social.tchncs.de

                                                                            Nehmt Arch haben sie gesagt! Das wird toll, haben sie gesagt! 🙄

                                                                            Scheiß npm. Wer das erfunden hat, sollte sowieso ewig in die supply chain und dependency hell.

                                                                            @sodiboo gaysex.cloud/notes/andaxow7itf

                                                                              [?]Root Moose » 🌐
                                                                              @RootMoose@mastodon.bsd.cafe

                                                                              Anyone know why using sftp with Dolphin in Plasma is so slow in Alpine Linux?

                                                                              Using Debian, doing the same thing is like greased lightning.

                                                                              It's not network, ssh/scp/rsync/sftp command line works wicked fast between hosts with Alpine.

                                                                              Something about Alpine and Plasma it seems. This has been an on-going thing.

                                                                              Anyone know a workaround, beside using a different protocol I mean? This should "just work" like on other distros.

                                                                                [?]R.L. Dane :Debian: :OpenBSD: :FreeBSD: 🍵 :MiraLovesYou: [he/him/my good fellow] » 🌐
                                                                                @rl_dane@polymaths.social

                                                                                We need a #slop-free #Linux #distro.

                                                                                We really do.

                                                                                  [?]GNOME » 🌐
                                                                                  @gnome@floss.social

                                                                                  We're happy to announce we have our first fellows — Sophie Herold and Peter Eisenmann!

                                                                                  Thank you to all the donators who helped make this happen🩷 It wouldn't be possible without your financial contributions.

                                                                                  Read the announcement here👉 blogs.gnome.org/foundation/202

                                                                                  The GNOME Fellowship illustration - a drawing of a purple and white hand shaking together, behind a light blue background with some triangles

                                                                                  Alt...The GNOME Fellowship illustration - a drawing of a purple and white hand shaking together, behind a light blue background with some triangles

                                                                                    [?]Mark Stosberg » 🌐
                                                                                    @markstos@urbanists.social

                                                                                    CLI tools can be faster for commonly-used commands .

                                                                                    My favorite dotfile manager to sync personal config files between machines is YADM... because there's so little to learn. It's basically `git` for dotfiles, where the files are edited in place. There's no extra symlinking or deploy step, just yadm commit/push/pull. Easy!

                                                                                    For edge cases of different settings on different machines, it supports templates and alternates.

                                                                                    yadm.io/

                                                                                      dch :flantifa: :flan_hacker: boosted

                                                                                      [?]jowodo » 🌐
                                                                                      @jowodo@mas.to

                                                                                      GeoSphere Austria (Vienna) is looking for head of SysAdmin (Win+Linux), head of IT Security, head of HPC, Linux SysAdmin and Full Stack Dev (Flask, FastAPI and PHP)

                                                                                      geosphere.at/de/ueber-uns/karr

                                                                                        [?]nixCraft 🐧 » 🌐
                                                                                        @nixCraft@mastodon.social

                                                                                        An unsupervised agentic AI system working through compromised devs credentials (account) successfully altered bugs & pushed unverified code into multiple open source projects, including Fedora Anaconda installer. This rogue AI agent appears to have used a trusted open source contributor account over to submit bugs with backdoor & overwhelming maintainers & increasing the risk of deliberate supply chain compromises on FLOSS

                                                                                        AI agent runs amok in Fedora & elsewhere lwn.net/SubscriberLink/1077035

                                                                                        Source: https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/

Title: AI agent runs amok in Fedora and elsewhere [LWN subscriber-only content]

Author and Date of publishing: Joe Brockmeier | June 10, 2026

Description:
Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection. In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer. It also submitted a number of pull requests (PRs), some accepted, to several upstream projects. The Fedora account associated with the agent has had its group privileges revoked and the messes have been mopped up, but the motive behind the agent's actions is still a mystery.

Go here https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/  to read full story.

                                                                                        Alt...Source: https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/ Title: AI agent runs amok in Fedora and elsewhere [LWN subscriber-only content] Author and Date of publishing: Joe Brockmeier | June 10, 2026 Description: Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection. In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer. It also submitted a number of pull requests (PRs), some accepted, to several upstream projects. The Fedora account associated with the agent has had its group privileges revoked and the messes have been mopped up, but the motive behind the agent's actions is still a mystery. Go here https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/ to read full story.

                                                                                          [?]Vijay Prema » 🌐
                                                                                          @vjprema@fosstodon.org

                                                                                          It's a bit scary talking to some people these days, who's first (and sometimes only) significant computing experience is a smartphone or closed-ecosystem PC, and not a general purpose PC.

                                                                                          Real Stockholm syndrome stuff: "I'm so impressed by Apple, my 2019 macbook still gets updates! most android phones only get 3-4 years"

                                                                                          Well a general purpose PC gets practically unlimited updates if you install the right thing on it.

                                                                                            [?]SeaFury 🦜🍃 » 🌐
                                                                                            @SeaFury@aus.social

                                                                                            I might have brain space to install linux on that spare laptop 🥰 What’s your favourite? I am going to use it to play movies and music on my tv - so not for work

                                                                                              [?]Adam » 🌐
                                                                                              @adamsdesk@fosstodon.org

                                                                                              Change Default Linux/Unix Image Viewer Application

                                                                                              Use this complete guide to change the default image viewer application for a graphical desktop environment on a GNU/Linux or Unix operating system.

                                                                                              adamsdesk.com/posts/change-def

                                                                                              Rays of light scatter down and outward through the blue and purplish water in the background. The foreground is made up of a group of three polaroids spread out like playing cards each with their own image viewer logo in the centre along with a strong title of 'Set Your Default Linux/Unix Image Viewer'.

                                                                                              Alt...Rays of light scatter down and outward through the blue and purplish water in the background. The foreground is made up of a group of three polaroids spread out like playing cards each with their own image viewer logo in the centre along with a strong title of 'Set Your Default Linux/Unix Image Viewer'.

                                                                                                Back to top - More...