Re: .desktop arbitrary program execution

To: debian-security@lists.debian.org
Subject: Re: .desktop arbitrary program execution
From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
Date: Wed, 19 Jan 2005 18:08:24 -0500
Message-id: <[🔎] 41EEE868.70405@eth0.is-a-geek.org>
In-reply-to: <[🔎] 20050119162623.GL3376@linuxmafia.com>
References: <m1CqprA-000omSC@finlandia.Infodrom.North.DE> <[🔎] 41EDD095.5218B68F@patriot.net> <[🔎] 20050119022735.GA728@infidel.spots.ab.ca> <[🔎] 41EDCDC8.3090507@eth0.is-a-geek.org> <[🔎] 20050119030640.GG3376@linuxmafia.com> <[🔎] 41EDD7DD.3050702@eth0.is-a-geek.org> <[🔎] 20050119041839.GH3376@linuxmafia.com> <[🔎] 41EE48E1.4030604@eth0.is-a-geek.org> <[🔎] 20050119162623.GL3376@linuxmafia.com>

Rick Moen wrote:
> Quoting David Mandelberg (mandelbergd@eth0.is-a-geek.org):
> 
> 
>>You also asked a question about something I didn't say (I said that
>>the person had to open it).
> 
> 
> Actually, no, you didn't.  (Presumably you intended to, though.)
> 
> Your question spoke of "opening" a particularly-named attachment:  You
> left unstated who or what was supposed to be doing the opening.  Since
> this was in the context of MUAs, I inferred that you meant the MUA doing
> it -- that being a standard application-security problem.
> 
> Specifically, you said:
> 
> 
>>Do you mean to say that opening "message.txt\t\t\t.desktop" which
>>happens to be a freedesktop.org compliant launcher for the program "rm
>>-rf $HOME" is safe because it's designed for people running one of the
>>F/OSS products GNOME or KDE on a F/OSS OS?
> 
> 
> Since (it turns out) you meant people _manually_ shooting themselves in
> the foot, that is indeed a different scenario from what I thought you
> meant.
> 
> So, I'm sorry for inadvertantly stepping on your scenario, but it was an
> honest and straightforward interpretation of what you said.  
> 
> 
Ok, I guess I should be more clear with my use of language next time, sorry.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$
UB+++>++++$L++++$*-- P+>++$ L+++(++++)$ E-(---) W+++>$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e->++++ h* r? z*
------END GEEK CODE BLOCK------

David Mandelberg
mandelbergd@eth0.is-a-geek.org

Reply to:

References:
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: Moe <moel@patriot.net>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
  - From: Rick Moen <rick@linuxmafia.com>
- Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
  - From: Rick Moen <rick@linuxmafia.com>
- Re: .desktop arbitrary program execution
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: .desktop arbitrary program execution
  - From: Rick Moen <rick@linuxmafia.com>

Prev by Date: unsubscribe
Next by Date: Re: [SECURITY] [DSA 643-1] New queue packages fix buffer overflows
Previous by thread: Re: .desktop arbitrary program execution
Next by thread: Re: .desktop arbitrary program execution
Index(es):
- Date
- Thread