I noticed a report “Local Privilege Escalation Vulnerability in libblockdev Affects Red Hat”.
It is mentioned in this random video:
As I am a concerned Linux user, I am wondering how this might affect Manjaro. Does anyone know if this is relevant to Manaro, and if it is, when it will be fixed?
Thank you in advance.
Describe.
Don’t expect anyone to watch a video to figure out what you mean.
Well given I suck at explaining things and this guy (who specialises in security) does it so well I figured it better to just leave it to the vid. Nevertheless I’ll give you the best run down I can manage, something about the XFS mounting process that removes the nosuid and something else I forget allows an attacker to use an uploaded (from their computer to yours) image to gain root access. I really suggest you watch the vid for the in depth demenstration of how it’s done along with the specific problems exploited because my explanation is insufficient.
I’m watching the video right now.
My first impression: typical panic mode know it all
The scenario you mention is very unlikely for several reasons - but lets see …
you need at minima
What’s to stop an attacker adding said READENV parameter? And how many people do you know are still using HHDs in this modern age? Maybe for backups but not for main drive.
Edit: Also if it’s not already being done then sensitive files like ~/.pam_environment should really have automatic removal of owner’s write permissions so that they can’t be fiddled with on the sly by apps. Doing so ensures the user has to intentionally allow an app write permission to it but opening it in root mode.
42 seconds in, he says its about OpenSuse (Suse Linux) and it’s implementation of PAM
not promising
But he does mention at the end that it possibly effects any distribution with libblockdev. All I’m asking is to just double check manjaro’s is not effected by that exploit, and if it’s not then that’s great, if it is then it would need to be fixed.
There are two exploits and that’s the second one. The first is limited to openSUSE.
These types of exploits have been known for a few years; generally nasty, if you get bitten.
However, the Support category is not the place for this.
The member’s hub might be more appropriate, when you eventually qualify to use it, though in it’s current state the topic probably wouldn’t last long there, either.
Unfortunately, you are not yet qualified to post in the Member’s Hub, but when you do reach that level, forum restrictions will be reduced, allowing you to post a wider variety of topics.
So, post more, “like” more, generally interact more, and the forum software will automatically promote you to the Member’s Hub in due course. 
In this case, the video is techno-clickbait, as evidenced by the brief description, and a link to “see more”;
Admittedly, it can sometimes take some careful thought when sorting clickbait from genuinely informative presentations; but it’s a skill well worth honing.
We’d ask that in future you refrain from such posts until your explaining things sucks a little less. 
Best regards.
The topic will be Unlisted for the time being, while it’s fate is discussed.
Did you see me asking about the 1st one? No, because I didn’t expect that to be an issue given he directly stated it was specific to opensuse. However if the 2nd does effect manjaro then who’s to say there isn’t some way of reaching that usefulness through another method on manjaro? If the libblockdev bit is already fixed then that other method won’t be as big a deal but if it’s not then it should be the 1st to be addressed.
Well I didn’t know where else to pose the question. Either way I’m only asking if it’s already addressed and there will surely be others who want to ask the same question so the thread should be visible for them to find. That’s part of the reason I explicitly included the libblockdev part in the title along with the source vid. I don’t really care which part of the forum this ends up in so long as I get an answer to my question of is it addressed yet? As in is it addressed via not effected or being fixed or already fixed?
I was just explaining the confusion.
The second exploit requires you have access to the system and permission to mount filesystems, which normally requires root.
But I’m not asking about what it requires, only whether it has been addressed?
Edit: To make it clear, the possible answers I (and likely anyone who finds this thread) expect are “yes”, “no” or “WIP”.
It’s likely that no one here currently knows if it’s been addressed, etc.
What I’m trying to say is that it’s not something you should need to worry about in the first place.
Do you allow random people access to your system?
Can they mount filesystems?
Do you open an ssh port to the internet?
If the answer to all of those, or even the last two, is no then you don’t need to worry.
EDIT:
Now have some patience, and maybe someone will try to find out.
And if he already has root access, he does not need an exploit anymore 
Well I do the ssh part for gitlab I think (unless I misunderstood the push process). But for most of that no, that doesn’t change my desire to know the answer.
Pushing to something like Gitlab or Github doesn’t require you to set up an ssh server on your machine, nor to open it up to the internet. Unless you’re hosting it.
I get that, but:
Good to know. Judging by that “nobody knows” bit earlier I’ll classify it as a WIP for now which is enough to know it’s not being ignored and that I don’t need to keep this thread going. I’ll keep it pinned in case a dev comes back and says it’s been fixed or found to not even effect manjaro’s implementation though.