Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Tue, 18 Jan 2005, David Mandelberg wrote:
> Save to your GNOME/KDE desktop (like many newbies do) and double click the new
> icon. .desktop files (currently) don't need the x bit set to work, so no
> chmod'ing is necessary.
that'd be dumb of the user
> This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it
> had Terminal=false, had the OOo writer icon, a title of something.sxw and
> actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning
> some poor newbie's $HOME.
that be even dumber of the user ..
and it is a known problem from 15-20 years ago ..
- don't click or execute commands you do nto know
what it will be doing
- even simple things like ls, tar, cat can be renamed ( cracked )
to something more painful
- it not a security issue ... and is unsolvable, not preventable
if you click on things or execute commands manully
- the super paranoid might be using encrypted fs with
md5 of their commands before executing "cat foo"
c ya
alvin
Reply to: