Re: .desktop arbitrary program execution

To: debian-security@lists.debian.org
Subject: Re: .desktop arbitrary program execution
From: Rick Moen <rick@linuxmafia.com>
Date: Wed, 19 Jan 2005 08:26:23 -0800
Message-id: <[🔎] 20050119162623.GL3376@linuxmafia.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 41EE48E1.4030604@eth0.is-a-geek.org>
References: <m1CqprA-000omSC@finlandia.Infodrom.North.DE> <[🔎] 41EDD095.5218B68F@patriot.net> <[🔎] 20050119022735.GA728@infidel.spots.ab.ca> <[🔎] 41EDCDC8.3090507@eth0.is-a-geek.org> <[🔎] 20050119030640.GG3376@linuxmafia.com> <[🔎] 41EDD7DD.3050702@eth0.is-a-geek.org> <[🔎] 20050119041839.GH3376@linuxmafia.com> <[🔎] 41EE48E1.4030604@eth0.is-a-geek.org>

Quoting David Mandelberg (mandelbergd@eth0.is-a-geek.org):

> You also asked a question about something I didn't say (I said that
> the person had to open it).

Actually, no, you didn't.  (Presumably you intended to, though.)

Your question spoke of "opening" a particularly-named attachment:  You
left unstated who or what was supposed to be doing the opening.  Since
this was in the context of MUAs, I inferred that you meant the MUA doing
it -- that being a standard application-security problem.

Specifically, you said:

> Do you mean to say that opening "message.txt\t\t\t.desktop" which
> happens to be a freedesktop.org compliant launcher for the program "rm
> -rf $HOME" is safe because it's designed for people running one of the
> F/OSS products GNOME or KDE on a F/OSS OS?

Since (it turns out) you meant people _manually_ shooting themselves in
the foot, that is indeed a different scenario from what I thought you
meant.

So, I'm sorry for inadvertantly stepping on your scenario, but it was an
honest and straightforward interpretation of what you said.

Reply to:

Follow-Ups:
- Re: .desktop arbitrary program execution
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>

References:
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: Moe <moel@patriot.net>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: Rick Moen <rick@linuxmafia.com>
- Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
  - From: Rick Moen <rick@linuxmafia.com>
- Re: .desktop arbitrary program execution
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>

Prev by Date: Re: .desktop arbitrary program execution
Next by Date: Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Previous by thread: Re: .desktop arbitrary program execution
Next by thread: Re: .desktop arbitrary program execution
Index(es):
- Date
- Thread