Re: Too many Recommends (in particular on mail-transport-agent)
On 06/06/2017 11:52 PM, Adam Borowski wrote:
>> As for "security hole", I'm not sure what exactly you have in mind there.
>> I don't see any open CVEs or bugs tagged with security against gvfs.
> I found a security hole in the vfat driver as an idiot kid ~20 years ago,
> before I even started using Linux myself. That particular filesystem is
> simplicistic enough to _possibly_ be exploitable bug free by now, but as a
> btrfs@vger regular, I hear about enough unintentional corruption caused
> failures that I see no way the filesystem could be secured against a
> malicious image without an extreme effort that would also destroy
> performance. And that's a maintained filesystem. We do, in our default
> kernel, ship drivers for so many obscure filesystems no one has used for
> years that I'm 100% certain you can find an arbitrary code execution bug
> triggerable by just mounting such an untrusted USB stick.
On the other hand gvfs is not a kernel driver but a userspace filesystem
and hence has a different threat surface. (Sure, there's still the
possibility of arbitrary code execution from content on a network file
system, but that's then shared with other GNOME applications using it.)