Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution

["s. keeling" <keeling@spots.ab.ca>]

Incoming from David Mandelberg:
> s. keeling wrote:
> > Incoming from Moe:
> > 
> >>Martin Schulze wrote:
> >>
> >>>   Part 1       Type: C
> >>>            Encoding: 8bit
> >>
> >>After all these months/years of warnings to NEVER open email 
> >>attachments, why are you sending attachments instead of in-line?
> > 
> > People who don't use stupid Windows email clients have no trouble with
> > attachments at all.  Attachments are a very useful tool; for instance,
> > for code listings, they arrive unmangled by line wrap.
> > 
> > Get a better email client, running on a better OS.
> 
> Do you mean to say that opening "message.txt\t\t\t.desktop" which happens to be
> a "freedesktop.org compliant launcher for the program "rm -rf $HOME" is safe

No, I assume people have half a brain in their heads, look at the
attachment type, maybe save it to a file and inspect it, then maybe
look at it or delete it.  Too much work?  Okay, slap a lot of autoload
crap in your .mailcap and watch your system disappear.  You don't
_have_ to look at an attachment if you don't trust it.  Write the
person who you got it from and tell them to post it on a website
instead.  Then point something sensible like firefox at it.

How often have you seen a "freedesktop.org compliant launcher for the
program "rm -rf $HOME"" anyway?  I never have.  'Sound like a
Microsoft Security Update (aka Swen) to me.  Okay, it could happen.
That's why I take the time to think about what I'm doing.

> I agree that not opening any attachments is counter-productive and shows

Fear of opening attachments is stupid.  It's fear mongering based on
experience with Windows applications' ineptitude.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -