101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

519
active users

#deepin

0 posts0 participants0 posts today
Continued thread

This is where the depth of the deception became clear

>>

The review of this component was also what led us to the discovery of the deepin-feature-enable whitelisting bypass, since we installed the full Deepin desktop environment for the first time in a long time, which triggered the “license agreement” dialog described above. After finding out about this, we decided that it was time to reassess the overall topic of Deepin in openSUSE based on our long-standing experiences.

<<

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

Continued thread

This part I screen capped for accentuation

>>

2024-08-29: deepin-api-proxy: D-Bus Service

After a longer time of standstill regarding Deepin reviews, a request for the addition of deepin-api-proxy arrived. This package greeted us with over two dozen D-Bus configuration files. Again, upstream’s description of what the component is supposed to do was very terse. From looking at the implementation we deduced that the proxy component seems to be related to the renaming of interfaces described in the previous section.

We found a design flaw in the proxy’s design which allowed a local root exploit. You can find the details in a dedicated blog post we published about this not too long ago.

It is noteworthy that the communication with upstream proved very difficult during the coordinated disclosure process we started for this finding. We did not get timely responses, which nearly led us to a one-sided publication of the report, until upstream finally expressed their wish to follow coordinated disclosure at the very last moment.

<<

I now have really seen it all The Good the Bad and the Ugly in Open Source programming

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

Continued thread

More excerpts

>>

Sadly the review of deepin-app-services was another chaotic case, one that is actually still unfinished. Even understanding the purpose of this D-Bus service was difficult, because there wasn’t really any design documentation or purpose description of the component. From looking at the D-Bus service implementation, we judged that it is a kind of system wide configuration store for Deepin. Contrary to most other Deepin D-Bus services, this one is not running as root but as a dedicated unprivileged service user.

<<

This reads like a horror novel but it's actually happening! Unbelievable how this has harmed a distro with many dedicated users!

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #wtf #frightmare #Infosec #nightmare #elmStreet

SUSE Security Team Blog · Removal of Deepin Desktop from openSUSE due to Packaging Policy ViolationAt the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.

The Deepin frightmare

Excerpt from linked site
>>
After reviewing the main D-Bus service, we could not help ourselves but call it a security nightmare. The service methods were not only unauthenticated and thus accessible to all users in the system, but the D-Bus configuration file also allowed anybody to own the D-Bus service path on the system bus, which could lead to impersonation of the daemon. Among other issues, the D-Bus service allowed anybody in the system to create arbitrary new UNIX groups, add arbitrary users to arbitrary groups, set arbitrary users’ Samba passwords or overwrite almost any file on the system by invoking mkfs on them as root, leading to data loss and denial-of-service. The daemon did contain some Polkit authentication code, but it was all found in unused code paths; to top it all off, this code used the deprecated UnixProcess Polkit subject in an unsafe way, which would make it vulnerable to race conditions allowing authentication bypass, if it had been used.
<<

¿WTF?

security.opensuse.org/2025/05/

#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet

openSUSE 宣布移除 Deepin DE,原因包括打包者试图绕过 openSUSE 的安全查核等。

- DDE 是由深度科技开发的桌面环境。
- 作为一个功能丰富的桌面环境,DDE 有大量的软件包需要查核。由于发现的大量安全问题及 openSUSE 在一段团队重组时期的工作积压,查核自 2017 年起一直未能完成。
- 2025 年一月的一次检查中,openSUSE 发现 2021 年引入的
deepin-feature-enable 软件包有蹊跷。软件包内的脚本向用户解释 DDE 和 openSUSE 团队在安全方面存在分歧,并允许用户手动选择启用未被 openSUSE 安全团队查核通过的功能。openSUSE 本以为大量查核的结束表明 DDE 的各组件已被查核通过,但实际上核心组件从未经过查核,而是通过此软件包在用户的系统上被启用。
- openSUSE 团队认为 Deepin 此行为由于有向用户开诚布公因此并非恶意,但 DDE 开发团队对安全性的意识不足,且软件包违反了 openSUSE 打包政策,因此决定从 Leap 16.0 起的版本及 Tumbleweed 滚动发行版中移除 DDE 软件包。
- 虽然 openSUSE 已不建议用户使用 Deepin DE,但想要继续使用 DDE 的用户可以参考文章中的方法手工添加 Deepin 软件包源。

security.opensuse.org/~

#openSUSE #Deepin

Telegram 原文

SUSE Security Team Blog · Removal of Deepin Desktop from openSUSE due to Packaging Policy ViolationAt the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.