#wtf

These are public posts tagged with #wtf. You can interact with them if you have an account anywhere in the fediverse.

Dendrobatus Azureus

This is where the depth of the deception became clear

>>

The review of this component was also what led us to the discovery of the deepin-feature-enable whitelisting bypass, since we installed the full Deepin desktop environment for the first time in a long time, which triggered the “license agreement” dialog described above. After finding out about this, we decided that it was time to reassess the overall topic of Deepin in openSUSE based on our long-standing experiences.

<<

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

The image displays a screenshot of a text document on a mobile device. The background is dark, with text in white and blue boxes. The main text is in blue boxes and discusses the review of a component related to the Deepin desktop environment, mentioning the discovery of a whitelisting bypass. It also references the installation of the full Deepin desktop environment for the first time in a long time, which triggered a "license agreement" dialog. The text concludes with a decision to reassess the overall topic of Deepin in openSUSE based on long-standing experiences. The bottom section of the image is in white text and provides a date, "2024-09-02," followed by a description of changes to the "deepin-system-monitor" component. It mentions the addition of a new D-Bus service and new Polkit actions. The text notes that the D-Bus service was accepted despite some quirks and that the review of the Polkit actions was not completed until now. It also mentions a second look at the D-Bus service, which revealed the use of the deprecated "UnixProcess" subject for Polkit authentication in an unsafe way. The bottom of the image includes navigation buttons labeled "III," "O," and "<." Ovis2-8B 🌱 Energy used: 0.338 Wh
May 09, 2025, 19:22 · · · 1 · 0
Dendrobatus Azureus

This part I screen capped for accentuation

>>

2024-08-29: deepin-api-proxy: D-Bus Service

After a longer time of standstill regarding Deepin reviews, a request for the addition of deepin-api-proxy arrived. This package greeted us with over two dozen D-Bus configuration files. Again, upstream’s description of what the component is supposed to do was very terse. From looking at the implementation we deduced that the proxy component seems to be related to the renaming of interfaces described in the previous section.

We found a design flaw in the proxy’s design which allowed a local root exploit. You can find the details in a dedicated blog post we published about this not too long ago.

It is noteworthy that the communication with upstream proved very difficult during the coordinated disclosure process we started for this finding. We did not get timely responses, which nearly led us to a one-sided publication of the report, until upstream finally expressed their wish to follow coordinated disclosure at the very last moment.

<<

I now have really seen it all The Good the Bad and the Ugly in Open Source programming

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

The image is a screenshot of a text document with a black background and white text. At the top, there is a status bar showing the time as 16:16, a weather icon indicating cloudy conditions, a temperature of 29 degrees, and a battery icon showing 83% charge. The main text is titled "2024-08-29: deepin-api-proxy: D-Bus Service." It discusses a request for the addition of the deepin-api-proxy package, which included over two dozen D-Bus configuration files. The text mentions that the upstream's description of the component was very terse and that the proxy component seems to be related to the renaming of interfaces described in a previous section. A design flaw in the proxy's design allowed a local root exploit, and details can be found in a dedicated blog post. The communication with upstream was difficult, and timely responses were not received, nearly leading to a one-sided publication of the report. The text concludes with navigation options at the bottom, including a page indicator and navigation arrows. Ovis2-8B 🌱 Energy used: 0.277 Wh
May 09, 2025, 19:17 · · · 1 · 0
Dendrobatus Azureus

More excerpts

>>

Sadly the review of deepin-app-services was another chaotic case, one that is actually still unfinished. Even understanding the purpose of this D-Bus service was difficult, because there wasn’t really any design documentation or purpose description of the component. From looking at the D-Bus service implementation, we judged that it is a kind of system wide configuration store for Deepin. Contrary to most other Deepin D-Bus services, this one is not running as root but as a dedicated unprivileged service user.

<<

This reads like a horror novel but it's actually happening! Unbelievable how this has harmed a distro with many dedicated users!

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #wtf #frightmare #Infosec #nightmare #elmStreet

Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation

At the beginning of this year we noticed that the Deepin…

SUSE Security Team Blog
May 09, 2025, 19:04 · · · 1 · 0
Dendrobatus Azureus

The Deepin frightmare

Excerpt from linked site
>>
After reviewing the main D-Bus service, we could not help ourselves but call it a security nightmare. The service methods were not only unauthenticated and thus accessible to all users in the system, but the D-Bus configuration file also allowed anybody to own the D-Bus service path on the system bus, which could lead to impersonation of the daemon. Among other issues, the D-Bus service allowed anybody in the system to create arbitrary new UNIX groups, add arbitrary users to arbitrary groups, set arbitrary users’ Samba passwords or overwrite almost any file on the system by invoking mkfs on them as root, leading to data loss and denial-of-service. The daemon did contain some Polkit authentication code, but it was all found in unused code paths; to top it all off, this code used the deprecated UnixProcess Polkit subject in an unsafe way, which would make it vulnerable to race conditions allowing authentication bypass, if it had been used.
<<

¿WTF?

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

The screencap shows a screenshot of a mobile device displaying a blog post from the SUSE Security Team. The post is titled "Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation" and is authored by Matthias Gerstner, dated May 7, 2025. The post is categorized under the tags #POLKIT, #D-BUS, and #DEEPIN. The table of contents includes sections titled "Introduction" and "Bypass of the openSUSE." The background of the blog post is dark, with white and green text. The device's status bar at the top shows the time as 16:09, the weather as cloudy with a temperature of 29°, and a battery level of 84%. The URL in the browser's address bar is "security.opensuse.org." Ovis2-8B 🌱 Energy used: 0.212 Wh
May 09, 2025, 19:01 · · · 2 · 0
TempusFugIt (DotCalm)

#sycamoregap

The evil men who cut down the #sycamoretree wanted to be famous?

Are you effing KIDDING me?!

Idiots. May their names be forgotten long before they turn to dust then.

Prison will be good too.

#WTF #trees #tree

Art - Sycamore Heaven. A lone tree against a setting sun as stars begin to appear in the sky
May 09, 2025, 15:27 · · 0 · 0
Joaquim Homrighausen

Why do f-ing websites keep having a f-ing choice about f-ing NECESSARY COOKIES ONLY while they're clearly not f-ing sufficient to prevent f-ing questions about f-ing cookies the next f-ing time I visit the f-ing site?! 🧐 😑 💩

Can these f-ing "developers" get their f-ing sh-t together ...

#privacy #cookies #tantrum #necessarycookiesonly #wtf #tgif #devops #development #webdev

May 09, 2025, 13:59 · · 1 · 0
ZZ Bottom

#News #Pope #WTF
No matter what; he can even be Che Guevara or some true progressive, the message that #Rapist47 will send is
I DID IT

May 08, 2025, 17:37 · · 0 · 0
Ю ⁂

I may have found a way to convert clothing into weed killer.

#capitalism #industry #fail #wtf #lol

A screenshot of a mail stating the following: Hello, We received your return package but it contains a different product as attached. Could you check if there was a mistake? Below is attached an image of a parcel containing a box of a german weed killer with the text "Turbo Rasenunkrautvernichter"
May 08, 2025, 15:18 · · 0 · 0
Kettwachsler

Heute Morgen hat das Teil einfach gedacht, dass #WLAN nicht mehr funktionieren müsste.

Neustart hat nichts gebracht.

Aber man musste im WLAN Einstellfenster auf den Link „Problem lösen“ klicken und nach 2min ging es dann wieder.

🤮

#wtf #windows

May 08, 2025, 07:17 · · · 0 · 0
रञ्जित (Ranjit Mathew)

For some reason, #MoveInSync needs to store 2+ GB of “documents & data” on my #iPhone. 😠

#WTF? WHY?

#India #Bangalore #iOS

Screenshot from my iPhone Settings showing 2.07GB of storage being used for “documents & data” by the MoveInSync iOS app.
May 08, 2025, 04:03 · · 0 · 0
रञ्जित (Ranjit Mathew)

Saw someone wearing a #MoveInSync t-shirt in #NammaMetro yesterday and was *so tempted* to accost them to give in-person feedback on this garbage of an app. 😤

(Bug-reports via the app, email-feedback, etc. seemingly go to /dev/null. 😒)

#WTF #India #Bangalore

May 08, 2025, 02:27 · · 0 · 0
रञ्जित (Ranjit Mathew)

The #MoveInSync app crashes so often on #iOS that it’s barely usable. 😡

It’s not just me — multiple folks in my company & elsewhere have been complaining about this — see the App Store reviews.

Don’t even get me started on its scheduling & pick-up idiocies. 😠

#WTF

May 08, 2025, 02:19 · · 0 · 0
Falk S. 🇨🇦🐕🔋 #ElbowsUp!

Auftragsverarbeiter übergibt seine #TOM zur Prüfung. Ich muss jetzt erstmal atmen, sonst werde ich gleich überdeutlich. Die meinen das tatsächlich ernst. #WTF

Kleiner Praxis-Tipp: Frage Dich, ob Du selbst Deine hochsensiblen Daten (Art. 9 und 10!) jemandem anvertrauen würdest, der Sicherheit mit einer derart plakativen Gleichgültigkeit behandelt? Kaum, oder? #Datenschutz #Privacy #Sicherheit

May 07, 2025, 14:54 · · 2 · 0

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy