[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Too many Recommends (in particular on mail-transport-agent)

On Tue, Jun 06, 2017 at 11:29:20PM +0200, Michael Biebl wrote:
> Am 06.06.2017 um 15:55 schrieb Adam Borowski:
> > gvfs: atril easytag thunar
> > * BAD: gvfs is a major annoyance and a security hole
> "Annoys Adam Borowski" is not a very convincing argument.

For the first part, it indeed varies by use case.  I don't recall ever using
an USB or SD attached storage for "data" in an Unix machine, yet I have two
SD readers, four cards and one USB stick on my desk right now despite having
cleaned the desk a few days ago.  It's just always a "disk" for some SoC
or bootable media (d-i, etc).

Some people may disagree.

> As for "security hole", I'm not sure what exactly you have in mind there. 
> I don't see any open CVEs or bugs tagged with security against gvfs.

I found a security hole in the vfat driver as an idiot kid ~20 years ago,
before I even started using Linux myself.  That particular filesystem is
simplicistic enough to _possibly_ be exploitable bug free by now, but as a
btrfs@vger regular, I hear about enough unintentional corruption caused
failures that I see no way the filesystem could be secured against a
malicious image without an extreme effort that would also destroy
performance.  And that's a maintained filesystem.  We do, in our default
kernel, ship drivers for so many obscure filesystems no one has used for
years that I'm 100% certain you can find an arbitrary code execution bug
triggerable by just mounting such an untrusted USB stick.

⢀⣴⠾⠻⢶⣦⠀ A tit a day keeps the vet away.
⢿⡄⠘⠷⠚⠋⠀ (Rejoice as my small-animal-murder-machine got unbroken after
⠈⠳⣄⠀⠀⠀⠀ nearly two years of no catch!)

Reply to: