[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: Be careful with StarDict!

On 2025-08-12 18:58:21 +0700, Max Nikulin wrote:
> On 08/08/2025 20:29, Vincent Lefevre wrote:
> > On 2025-08-07 18:52:47 +0700, Max Nikulin wrote:
> > > On 06/08/2025 10:18, Vincent Lefevre wrote:
> > > > 
> > > > Note that passwords can easily be leaked.
> > > 
> > > I see, earlier I even mentioned protocol that allows clipboard
> > > manager to ignore text copied by password managers.
> > 
> > X11 selections are different from clipboard.
> 
> I am unsure what you mean. PRIMARY, SECONDARY and CLIPBOARD selections are
> rather similar. Difference in behavior originates from conventions as they
> are implemented in applications. I do not mind that you may acquire much
> more data by scanning PRIMARY selection than from CLIPBOARD. However some
> data may be available from CLIPBOARD only.

If I want to copy-paste a password by using the PRIMARY selection,
there is no way to prevent some other application from reading it.

> > AFAIK, there are tags to ignore the RC severity for the next release.
> 
> Do you mean trixie-ignore and forky-ignore? Have you tried to
> negotiate with the maintainer and with release manager to add them?

No. The maintainer immediately lowered the bug to wishlist.

> > The vulnerability here is important enough to justify a high severity.
> > In particular, it should be signaled by apt-listbugs.
> 
> I find it valid concern. Unfortunately, it seems, in default configuration
> bugs are either not listed or severity serious or above causes removal from
> testing (unless "*-ignore" is added). Have I missed anything?

However, removing package that has risks for the user is some kind of
feature.

> > Moreover, initially I had not thought that a query was even done: as
> > a calendar was displayed (which is really strange for a dictionary
> > application) and did not see anything that looked like an answer to
> > a query, I was just thinking of some UI bug.
> 
> I agree, it is confusing. From my point of view, a part of the problem is
> that the dictionary has been developed to be convenient in specific
> scenario. Privacy issues were overlooked. Recently the maintainer received a
> portion of complains with almost no suggestions how to meet expectations
> related to privacy while keeping convenience.

Even ignoring privacy issues, the default (e.g. getting a calendar
and/or a translation into some language[*]) is probably bad for most
users.

[*] possibly except for a language the application knows that the
user may be interested in, for instance deduced from the locales.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: