akabulous

No risk of "starting a war," as I quite frankly don't give a damn about your opinion. The mitigations the devs have posted are easy to apply, so this is solved as far as I'm concerned. You must be really fun at parties, bedna

Really disappointing that both responses to the original post (although the first was at least polite) are basically "f*ck you, pay me" 🙄 I've already mitigated this on my own devices, my concern is for other users of this distribution. And yeah, LPE isn't RCE, but it still deserves an advisory. Consider how easy it would be for an attacker to embed this exploit in a malicious file download + god knows what kind of payload and turn your computer into a zombie in a botnet, a cryptominer, hit you with ransomware, etc. When mentioning a real security issue gets a response this crappy, it doesn't bode well for the future of the project. Igor was at least professional. But go ahead, Bedna, tell me more about why the homepage being updated to include an advisory costs money that I should be sending instead of making bug reports 🙄 pathetic

I understand that you're overworked and underpaid. This is free software, so I won't demand more labor from any of you. That said, I think it would build trust to at least have a little temporary pop-up (not the right word but I dont know what it's called) on the homepage that says something like "Current kernels may be vulnerable to this bug, we're working to resolve this, here are some relevant links" and then post the kernel dot org patch for this bug and point people to the Armbian build system. Surely the amount of effort it would take to do that is equal to or even less than it took to give me such a thorough response (which I appreciate btw).

Steps to repeat the bug: 1) use the cross platform PoC written in C, the Python one that everyone is sharing contains obfuscated code (bad ju-ju) and is x86_64 specific `git clone https://github.com/tgies/copy-fail-c` `cd copy-fail-c` 2) compile either on your target device natively, or do what I did and cross-compile it as a static binary using an aarch64-linux-musl toolchain (this made it easy to test on different SBCs) `PREFIX="/opt/toolchains/aarch64-linux-musl-cross" CC=aarch64-linux-musl-gcc LD=aarch64-linux-musl-ld CFLAGS="-static -fPIC -I/opt/toolchains/aarch64-linux-musl-cross/include -L/opt/toolchains/aarch64-linux-musl-cross/lib" LDFLAGS="-static -fPIE -L/opt/toolchains/aarch64-linux-musl-cross/lib" make -j$(nproc --all)` 3) pass the resulting binaries "payload" and "exploit" to your target device (if you cross compiled) 4) from an unprivileged user account not in the sudo group, run the exploit I'm not here to point fingers but I would like to see AT LEAST an advisory of this potentially devastating bug with a public exploit available on the Armbian homepage, radio silence for over a week seems completely inappropriate to me

I recently bought the exact same board, down to the date printed on the front. I'm including a photo I took of the back before soldering a UART module, a step I only took because so far nothing has worked. You're the only person on any forum with the same device who had success in getting this device to come alive.