Qualys's Threat Research Unit (TRU) has discovered and published a logic flaw in Linux kernel "that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions." Friday their blog pointed out "The bug has resided in mainline Linux since November 2016 (v4.10-rc1)." "Upstream patches and distribution updates are already available." Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay. During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material [including host private keys under /etc/ssh ] CVE-2026-46333 is local-only, but the impact is severe... Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts. Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination. A short time later, an independent exploit derived from the public kernel commit appeared.... Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies.

Read more of this story at Slashdot.

Bon ben encore une nouvelle faille de privilege escalation.
(Permalink)

En marge de la publication de Linux 7.1-rc4, Linus Torvalds, créateur du noyau Linux, s'est penché sur un sujet qui cristallise les craintes de la communauté open source face à l'essor de l'IA : l'inondation de signalements de bugs.

Pour ceux qui utilisent le gestionnaire de fichiers Nemo (par exemple dans Linux Mint Cinnamon), voici deux méthodes pour ajouter des options au menu du clic-droit sur les fichiers et répertoires.
(Permalink)

Woao. C'est cool.
(Permalink)

Batocera 43 propose une liste de mises à jour et d’évolutions trop longue pour être ignorée, je vous la propose en vrac en fin de billet. Les outils intégrés sont quasiment tous déployés dans une nouvelle version. Enormément d’ajouts de fonctionnalités et de corrections de bugs sont également listés. De quoi redonner envie à certains de tester cette super distribution.

Cela fait un bail que je ne vous ai pas parlé de cette suite puisque mon dernier billet remonte à la version 29 en… 2020. L’idée globale de Batocera 43 est de vous permettre de transformer un PC, une carte de développement type Raspberry Pi ou Odroid, un Steam Deck, une console ou même une TV-Box Android en solution de jeux d’émulation facile d’accès et complète. Il existe même des versions dédiées aux anciens PC 32 Bits et aux solutions Atom si vous avez un vieux netbook qui traine.

Le système Batocera 43 est plug ‘n Play et ne nécessite pas de manipulations ou de réglages complexes. Il permet de nombreuses options de jeu, optimise les sauvegardes et offre une compatibilité exceptionnelle avec énormément de plateformes. Il reste évidemment totalement gratuit et Open source.

Batocera 43 est facilement disponible. Si vous utilisez une version plus ancienne, il suffit de lancer la mise à jour depuis le menu système. Si vous voulez tester la distribution, il suffit de suivre les instructions proposées. La page de téléchargement vous guidera pour trouver la version correspondant le mieux à votre matériel.

La liste des changements apportés à Batocera 43

Special Notes

• • x86_64 Handhelds with AMD and Intel graphics will be supported on the preferred x86_64-v3 image using Wayland and the LabWC compositor.

• • The ability to use a custom.sh script is deprecated in this version. If you already used such a script, then it will be one-time transformed into a service.

• • TheXTech update in v43 needs a minimum of 1.3.7 assets, ensure you update accordingly.
  • Azahar Plus has been replaced with the source project Azahar. 3DS ROMs will need to be decrypted.

• • WINE: Compressed applications (wsquashfs, wtgz) use the same storage paths to store the PREFIX as uncompressed ones do. 

• • We have moved to the mainline Nintendo controller driver. You may need to reconfigure your Nintendo controller accordingly for wired & Bluetooth.
  • Legacy Nvidia 340.xx & 390.xx drivers have been removed from the image going forward.

• • A few ROM directories have changed names for consistency with themes and the overall rule of naming them after systems,

• • Dolphin now supports Triforce. The older Dolphin-Triforce emulator has been removed as a result.

• • Removed DraStic emulator due to its closed-source nature and no longer compatible with the core OS.
  • SM8250 and SM8550 devices now have one image with device selection in the bootloader

Hardware

• AIC8800 USB driver support for Raxda Boards
• Anbernic RG28XX, RG34XX, RG35XX, RG40XX, RG CubeXX device variant support
• AYN Thor initial support
• FriendlyElec CM3588 NAS support
• Legion Go S Controller & LED updates
• New steering wheel support:
  • Logitech Formula Vibration Feedback
  • MOZA R12 V2 (Direct Drive)
• Odin 2 Mini initial support
• Powkiddy X55 initial support
• Radxa Dragon Q6A initial support
• Radxa Zero 3W initial support
• Retroid Pocket 6 initial support
• RTL8832CU and RTL8852CU USB Wi-Fi adapter support (x86_64)

Added

• EmulationStation:
  • New UI for configuring in-game controller hotkeys (plus batocera-joysticks-hotkeys command)
  • Global hotkeys configuration for any device (unused device buttons, any arcade special buttons or keyboard key), also via batocera-hotkeys command
  • LED colour control for ARM-based handhelds
  • Ability to turn the controller LEDs off
  • Added missing characters on the on-screen AZERTY keyboard
  • New sorting option: hardware type, then release year
  • Control brightness on multiple screens (AYN Thor)
  • Wi-Fi country selector
  • Ability to add a « sort name » that takes precedence over the (scraped) game name in metadata
  • New keyboard layout and keyboard variant options
• Batocera Control Center (on-screen interface for global configuration and control [hotkey]+[east] by default)
• Virtual keyboard for Wayland devices with a touchscreen, launched from the Batocera Control Center
• batocera-xtract for handling archives on systems with PCManFM file manager can use a small GUI and mouse context menus
• dmd-play-rust is now used by default to play dmd images (performances)
• Yamagi Quake II added which supports more systems, especially lower-end hardware
• Light gun support to:
  • new Libretro Dolphin core (multi-light guns)
  • Duckstation (multi-light guns)
  • Play! emulator for Namco 2×6 gun games (single-light gun only)
  • Flycast standalone (multi-light guns)
• NFC reader support
• Casio Loopy as a separate system
• Enterprise 64/128 (via CLK emulator)
• Xroar emulator as an option for the Color Computer (Tandy TRS-80)
• PC60 as a separate system
• Cemu for SM8550 devices
• PD777 libretro core for the Epoch Cassette Vision
• Sega Cave CV1000 support (currently x86 systems only)
• Sega Gaelco support (currently x86 systems only)
• Sega Hikaru support (currently x86 systems only)
• Added support for GUO HUA PS3 GamePad in the Bluez package’s Sixaxis plugin (models VOYEE – HY-2208 and MiniThink – CECHZC2U)
• Experimental Sinden light gun borders for RPCS3 and Wine
• Steering wheel support for Triforce system
• Crosshairs for gun games in Lindbergh loader
• Re-added .3ds extension support for Azahar emulator

Fixed

• Not being able to exit emulator on first controller disconnection. i.e. Bluetooth disconnects.
• Odin 2 variants Wi-Fi not working in some regions
• Wi-Fi country not being applied at boot
• Light gun overall accuracy (with shaders, sliders, bezels) in MAME standalone
• Crosshairs for light guns in PCSX2
• Massive MAME log (switchres verbose disabled by default)
• PCSX2 light gun mapping (START can now be pressed on the light gun instead of controller)
• PS4 and PSVita games not appearing in the « last played » auto collection
• Sinden light gun’s camera freezing after exiting Wine
• Supermodel: offscreen reload not working on The Lost World: Jurassic Park (lostwsga)
• MAME: broken light gun input in Jurassic Park (jpark), Operation Wolf 3 (opwolf3) and Police Trainer (policetr)
• Duplicated buttons with Wiimote in gun/zapper modes
• MelonDS save and cheat paths
• Bluetooth xbox controllers not working on Steam

Changed / Improved

• Wi-Fi country can now be chosen under the Network Setting option. This improves Wi-Fi connectivity by aligning your device with regional regulations as well as 6GHz band support.
• Moonlight has transitioned from Moonlight Embedded to Moonlight QT for the majority of boards to allow for more hardware acceleration. Hardware acceleration depends on supported codecs for devices in FFmpeg.
• You can now choose to create a Win32 WINE bottle only via the option to run 32-bit Windows games.
• DOSBox Staging’s working directory is now set to the games’ folder, allowing for local and relative (img)mount and conf file references.
• DOSBox Staging will fallback to a C:\> prompt inside the games’ folder if its missing dosbox.cfg/.conf/.bat files.
• DOSBox Staging now stores DOS filesystem changes in /userdata/saves/dos/ for squashfs ROMs.
• Systems like WINE and DOSBOX can now be prepared from PCManFM context menu. Right click on file items inside supported ones to presetup them. This is mostly thought for startup files like dosbox.bat and autorun.cmd and for handling squashed archive files.

• RPCS3 PS Move (light gun) mapping simplified. D-pad buttons are now PS Move face buttons. Check wiki for more info.
• RPCS3 with .ISO support
• GUN4IR and GunCon2 now correctly mapped (start is start; select is select)

Updated

• Amiberry to 5th of March 2026 build
• Azahar to 2125.0.1
• BigPEmu to v121
• Cemu to 5th of April 2026 build
• CLK to 2026-01-06
• Dolphin-Emu to 2603a (Wii RetroAchievements)
• DXX-Rebirth to May 25, 2025
• EasyRPG to 0.8.1.1
• EDuke32 to Oct 10, 2025
• Flycast to 2.6
• FS-UAE to v3.2.35
• Groovy MAME to 0.285
• Hatari to v2.6.1
• Hurrican to Jul 26, 2025 build
• Jazz2 to 3.5.0
• Libretro Atari800 to 4th of December 2025 build
• Libretro BlueMSX to 4th of November 2025 build
• Libretro Bsnes to 19th of December 2025 build
• Libretro Dolphin to 24th of December 2025 build
• Libretro Fake-08 to 22nd of January 2026 build
• Libretro FBNeo to 11th of January 2026 build
• Libretro Fceumm to 12th of September 2025 build
• Libretro Flycast to 2.6
• Libretro Genesis Plus GX to 21st of December 2025 build
• Libretro Genesis Plus GX-Wide to 21st of October 2024 build
• Libretro Holani to 0.9.9
• Libretro MAME2003plus to 16th of January 2026 build
• Libretro MAME to 0.285
• Libretro MGBA to 17th of January 2026 build
• Libretro Mesen to 24th of October 2024 build
• Libretro Nestopia to 10th of January 2026 build
• Libretro Opera to 17th of October 2024 build
• Libretro Picodrive to 3rd of December 2025 build
• Libretro Play! to 0.73
• Libretro PS2 to 6th of February 2026 build
• Libretro PUAE to 2nd of November 2025 build
• Libretro Snes9x to 8th of September 2025 build
• Libretro Stella to 28th of December 2025 build
• Libretro Swanstation to 2nd of August 2025 build
• Libretro Vecx to 12th of January 2026 build
• Libretro YabaSanshiro to 20th of December 2025 build
• Lindbergh Loader to v2.1.4
• MelonDS to 1.1
• OpenJK to 10th of October 2025 build
• OpenJKDF2 to v0.9.8
• OpenMOHAA to v0.82.1
• Play! to 0.73
• PCSX2 to v2.6.3
• Pygame to 2.6.1
• RClone to v1.72.1
• RetroArch to 1.22.2
• RPCS3 to v0.0.40
• Ruffle to 31st of January 2026 nightly build
• ScummVM to v2026.1.0
• ShadPS4 Plus to SHAD_PS4_PLUS_0_12_0_A
• Sonic 2013 to 1.3.3
• Sonic CD to 1.3.3
• Sonic Mania to v1.1.1
• Supermodel to 13th of November 2025 build
• Syncthing to 2.0.15
• Taradino to 20251222
• TheXTech to v1.3.7.2-1
• TheForceEngine to v1.22.420
• Vice to 3.10
• VkQuake to 19th of November 2025 build
• Xash3D FWGS engine to Oct 17 build
• Xenia-Canary to build f85f4c3
• Xemu to v0.8.134
• Ymir to 0.2.1

System

• Bluez to 5.84
• DXVK to 2.7.1
• Flac to 1.5.0
• Go language compiler to 1.25.5
• GStreamer codecs to 1.26.6
• Linux Firmware to 20251125
• Linux Kernel to 6.18.16
• LabWC to 0.9.3
• LLVM Project to 20.1.8
• Mesa3D to 25.3.6
• MPV to v0.41.0
• Nvidia 580.xx legacy drivers to 580.126.09
• Nvidia production drivers to 590.48.01
• QT to 6.9.2
• Raspberry Pi kernel and associated firmware / utils to 6.12.62
• SDL3 to 3.3.6
• Sound Open Firmware to 2025.12
• Sway to 1.11
• VKD3D Proton to 3.0a
• Vulkan stack to 1.4.328.1
• Wayland to 1.24.0
• Wayland Protocols to 1.45
• WF-Recorder to v0.6.0
• Wine Mono to 10.4.0
• Wine-TKG to 10.20
• Wine Proton to 10.0-4
• Wireless Regdb to 2026.02.04
• WLRoots to 0.19.2
• Xpad-noone to Oct 30, 2025 build
• Xone to v0.5.5
• XWayland to 24.1.9

Batocera 43 est disponible au téléchargement © MiniMachines.net. 2026

Wow déjà une autre faille de privilege escalation ?
(Permalink)

Ah super... et du coup GOG va aussi publier la version Linux ?
oui.... non ?
Ben voilà pourquoi je n'achète plus trop sur Gog.
(Parce que sur Steam, il y a les versions native de Metro 2033 et Metro Last Light pour Windows, Linux et Mac : https://store.steampowered.com/app/286690/Metro_2033_Redux/)
(Permalink)

Allez zou une autre faille avant le weekend 😅
(Permalink)

(Mais PS : ce n'est pas un pingouin, c'est un manchot)
(Permalink)

La Linux Foundation dépense 2% de son budget sur Linux. Et le double sur la blockchain. Et 6 fois plus sur l'IA. Oui c'est absurde.
Le pourquoi ? Oh c'est facile: Il suffit de regarder les membres qui la constituent : https://www.linuxfoundation.org/about/members

La Linux Foundation est devenue comme le W3C: Rongée de l'intérieur par les GAFAMs, et ne travaillant plus vraiment au bien commun.
(Le W3C est censé travailler aux standards du web pour le bien de tous, mais la liste des membres est du même acabit: https://www.w3.org/membership/list/)
(Permalink)

Oh bah tiens, encore une faille dans le même genre que copy.fail : https://github.com/V4bel/dirtyfrag

EDIT: Wo pinaise c'est pas fini : https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
#OnVaTousMourir

Petite réflexion:
3 failles de privilege escalation trouvée coup sur coup sous Linux.
Mais dites-vous bien une chose : Les failles ont été trouvée ➡️➡️parce qu'on a accès au code source⬅️⬅️.
Le même genre de faille existe probablement sous une forme proche (abuser d'une API/ABI ou d'une bibliothèque système) sous Windows. MAIS ON NE LE SAIT PAS. Et probablement de manière beaucoup plus importante étant donné l'énorme legacy que traîne Microsoft (jusqu'à garder des compatibilités Windows 95 et MS-Dos).
(Permalink)

ALLEZ ZOU !     WinePortable et GEProtonPortable sont disponibles  🎉

Ils vous permettent de jouer aux jeux Windows sous Linux sans avoir à vous emmerder à installer Wine ou GE-Proton:
1️⃣ Décompressez
2️⃣ Copiez vos jeux Windows dedans
3️⃣ Lancez "explorer.sh" et jouez à vos jeux

C'est un Wine/GEProton portable packagé avec tout le nécessaire pour faire tourner plus de 90% des jeux Windows (dxvk, vkd3d, vcrun2003 à 2026, physx, OpenAL).
Si vous avez un doute, GEProtonPortable est généralement le meilleur choix, du moment que vous avez une carte graphique compatible Vulkan.
(Permalink)

• lien nᵒ 1 : Lien de l'épisode
• lien nᵒ 2 : Soutenir le podcast
• lien nᵒ 3 : La traduction en anglais de l'épisode
• lien nᵒ 4 : Le site de Mobian

Commentaires : voir le flux Atom ouvrir dans le navigateur

ALLEZ ZOU !     WinePortable est disponible  🎉
Il vous permet de jouer aux jeux Windows sous Linux sans avoir à vous emmerder à installer Wine.
1️⃣ Décompressez WinePortable
2️⃣ Copiez vos jeux Windows dedans
3️⃣ Lancez "explorer.sh" et jouez à vos jeux

C'est un Wine portable packagé avec tout le nécessaire pour faire tourner plus de 90% des jeux Windows (dxvk, vkd3d, vcrun2003 à 2026, physx, OpenAL).

Il devrait tourner sur à peu près n'importe quelle distribution Linux. Bonus de performance dans les jeux si vous avez un noyau 6.14+ et une carte graphique compatible Vulkan.

Edit : je suis aussi en train de vous préparer un portableGEProton qui va marcher encore mieux.
(Permalink)

Steam on Linux use in March "had skyrocketed to 5.33%..." reports Phoronix, "easily the highest level we've seen Steam on Linux at since its inception more than a decade ago." So what happened in April? [April's results] point to Linux having a 4.52% marketshare on Steam, a drop of 0.81% compared to March. Year-over-year it's roughly double with Steam on Linux in April 2025 being at 2.27%. Or two years ago for April 2024, Steam on Linux was at 1.9%.

Read more of this story at Slashdot.

Une vulnérabilité découverte par des chercheurs en sécurité permet à n'importe quel utilisateur local de prendre le contrôle total d'un système Linux, sur la quasi-totalité des distributions existantes. L'exploit tient en 732 octets de Python.

Wow merde... cette faille de sécurité Linux est assez grave.
C'est du "privilege escalation", en gros si vous avez accès à un shell sur une machine, vous pouvez passer root. Il y a juste un petit script Python à lancer.

EDIT: Article : https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/

EDIT: Protection en attendant le correctif : https://www.bortzmeyer.org/copyfail.html

EDIT: Plus de détails techniques, en français : https://www.linuxtricks.fr/news/10-logiciels-libres/600-copy-fail-cve-2026-31431-synthese-technique-sur-cette-faille-linux/
(Permalink)

(Permalink)

De l'IA... de l'IA partout... et bientôt dans Ubuntu ! 🤖💩
Je pense que Linux Mint fera ce qu'il faut pour virer ces merdes (Linux Mint étant dérivé d'Ubuntu).

EDIT: Canonical signale que ça sera opt-in uniquement, et facile à dé-installer : https://www.gamingonlinux.com/2026/04/canonical-clarify-some-their-ai-for-plans-for-ubuntu-linux-opt-in-and-easy-to-remove/
(Permalink)