Today I have spent way too much time handling the https://copy.fail situation #copyfail
-
@alexanderkjall I agree and to be clear I have very low respect for that security outfit (and most others as well). Disclosure: I work in industrial cybersec.
However, arguably monitoring the kernel security is the most important thing. If you have a security team in your distro crew and they're not taking a keen interest in kernel security, what are they really doing?
That being said a simple email to the 15 or so distros that matter would not have been too big an ask.
@penguin42 -
@alexanderkjall @penguin42 fwiw I agree with gkh:
https://social.kernel.org/objects/e5b49e64-befb-43a8-aab3-33c7f3705a99@fedops @alexanderkjall Oh, that says no one contacted the security team - which contradicts what it said in the blog of the guys who found it.
-
@fedops @alexanderkjall Oh, that says no one contacted the security team - which contradicts what it said in the blog of the guys who found it.
@penguin42 well he says "they told us", which means the kernel team.
@alexanderkjall -
@penguin42 well he says "they told us", which means the kernel team.
@alexanderkjall@fedops @alexanderkjall Oh OK, I see, yeh they told them about the bug, but didn't tell them about the announcement. Yeh, that sucks.
-
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall "The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it."
Sorry, but it is not the persons responsibility to look out whom to contact.
As per the linked page, he reported to Linux kernel security team on May 23nd.In my opinion it is responsibility of distributions to be in the loop of kernel security team.
-
@alexanderkjall "The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it."
Sorry, but it is not the persons responsibility to look out whom to contact.
As per the linked page, he reported to Linux kernel security team on May 23nd.In my opinion it is responsibility of distributions to be in the loop of kernel security team.
@asltf Since the kernel have the policy "every bug gets a CVE" ( https://docs.kernel.org/process/cve.html ), that seems like a full time job for multiple people.
They published 200 CVE's since 2026-04-24: https://lore.kernel.org/linux-cve-announce/topics_new.html
I guess the security team of your favorite linux distribution would appreciate some support.
-
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
@simonzerafa @alexanderkjall Disclosure to Linux, but not to the distros.
-
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
@simonzerafa @alexanderkjall How do distros know that there is a vulnerability in the wild? -
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall they also had time to obfuscate their exploit. -
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall let's say how it is Greg didn't put it into backports and no one could be arsed to look at it by themselfes as it is, in deed, work.
Maybe get mad at Herbert (who commited the kernel fix patch) for not telling the distribution security list?
Anyways, the result is a massive PR event for Xinit/theori and a bad day for Distro security teams and IT Security people all over the world (oh well at least most of you should be geting payed a nice premium for working at May 1st).
I guess learning from it would be better then finger pointing but who am I to tell you all how to do your jobs?
I'm retired. My local machines with public services sit fully proxied behind a BSD machine. The only person with shell access (from my LAN only) is me.
If the Hyperscaler guys don't pay people to monitor CVEs and do their own classification well
️
️ -
@alexanderkjall they also had time to obfuscate their exploit.@fun @alexanderkjall It's minified rather than obfuscated, I think they did that just so they could say it was only 732 bytes.
It's also likely that they just asked an LLM to minify it, given that the whole article was so obviously AI-generated and not even proofread (it originally claimed to have been tested on RHEL 14.3, which does not exist) -
That's not what the disclosure timeline claims:
2026-03-23 Reported to Linux kernel security team
2026-03-24 Initial acknowledgment
2026-03-25 Patches proposed and reviewed
2026-04-01 Patch committed to mainline
2026-04-22 CVE-2026-31431 assigned
2026-04-29 Public disclosure (https://copy.fail/)Is this timeline in error?
@simonzerafa @alexanderkjall the Linux kernel security team did not tell distros -
@fun @alexanderkjall It's minified rather than obfuscated, I think they did that just so they could say it was only 732 bytes.
It's also likely that they just asked an LLM to minify it, given that the whole article was so obviously AI-generated and not even proofread (it originally claimed to have been tested on RHEL 14.3, which does not exist)@noisytoot @alexanderkjall it's also obfuscated IMO. Why need to zlib.decompress ? Can't you give us the data itself without compression?
A bunch of variables also have quite meaningless names. It really does scream a lot like obfuscation. -
@alexanderkjall I read that they had waited a month with distributing the PoC and that major distributions were prepared.
@LabanSkoller @alexanderkjall they waited a month after reporting to the Linux kernel security team, they did not report to distros
Debian at least was quite clearly unprepared given that it took a day to get fixed in trixie and only just got fixed in bookworm (between when I last checked earlier today and now) -
@noisytoot @alexanderkjall it's also obfuscated IMO. Why need to zlib.decompress ? Can't you give us the data itself without compression?
A bunch of variables also have quite meaningless names. It really does scream a lot like obfuscation.@fun @alexanderkjall both of those are for minification: if it used descriptive variable names and didn't compress the payload it would have been longer than 732 bytes -
@fun @alexanderkjall both of those are for minification: if it used descriptive variable names and didn't compress the payload it would have been longer than 732 bytes@noisytoot @alexanderkjall it's just not serious
-
@noisytoot @alexanderkjall it's just not serious@noisytoot @alexanderkjall it's not like you'll be running the exploit on some microcontroller with 16K of SRAM
-
@noisytoot @alexanderkjall it's not like you'll be running the exploit on some microcontroller with 16K of SRAM
@fun @noisytoot @alexanderkjall the reason is marketing, not technical
"we are so good because we need very few bytes to achieve this massive thing"
-
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall@mastodon.social They even have time to obfuscate and minimize that exploit code, which makes it very hard to understand.
As if "732 bytes" means anything.
Surely the best way to create a proof-of-concept exploit to share their understanding with the world? /s -
Today I have spent way too much time handling the https://copy.fail situation #copyfail
The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it.
But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches.
I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
@alexanderkjall I mean... it is normal that, as a security researcher, when you find a security bug, you contact the upstream vendor, and can expect that to result in the issue being handled appropriately (for example, because the project notifies their downstreams about the issue, or because downstreams generally pick up all patches fast, or because propagation of fixes is ensured through a mechanism like CVEs).
To my knowledge, there is no such mechanism between Linux and most distros, unless the distro just always ships the latest stable kernel; I think that is a process issue, not the security researcher's fault.
When I report Linux kernel security bugs, I, too, just send the bug report to security@kernel.org and the maintainers, not to the third-party linux-distros list.
