[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: Be careful with StarDict!

On 2025-08-07 18:52:47 +0700, Max Nikulin wrote:
> On 06/08/2025 10:18, Vincent Lefevre wrote:
> > On 2025-08-06 09:33:12 +0700, Max Nikulin wrote:
> > > I believe, proper tags are neither security+critical not wishlist, but
> > > something in between.
> > 
> > Note that passwords can easily be leaked.
> 
> I see, earlier I even mentioned protocol that allows clipboard manager to
> ignore text copied by password managers.

X11 selections are different from clipboard.

> However I am in doubts if setting excessively high severity a few days
> before release is the best way to handle the issue. Are you trying to remove
> stardict packages from trixie completely? I do not think, bookworm users,
> who have the application installed, will like it.

AFAIK, there are tags to ignore the RC severity for the next release.

The vulnerability here is important enough to justify a high severity.
In particular, it should be signaled by apt-listbugs.

> On 06/08/2025 09:49, Vincent Lefevre wrote:
> > In my case, there is a popup, but:
> >   * It appears only after something is selected, so this is too late
> >     (it does not ask for confirmation before sending data to the
> >     remote servers).
> >   * It does not say that the selection is sent to remote servers.
> 
> In general I agree, on the other hand I find it unlikely that user decided
> to select something confidential before discovering the popup. Common sense
> may suggest that application may store query history at least locally. I do
> not object that the issue must be fixed, but it can be done routinely.

I doubt that every user has common sense (otherwise phishing would not
exist). Moreover, storing query history is a bit uncommon; for instance,
dict does not, and spelling tools like ispell don't either. And storing
confidential data locally is much less an issue than sending it to the
network, and such data may already be present unencrypted in the local
file system, so that a storage by the application would just duplicate
the same data.

Moreover, initially I had not thought that a query was even done: as
a calendar was displayed (which is really strange for a dictionary
application) and did not see anything that looked like an answer to
a query, I was just thinking of some UI bug.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: