[Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers

Subject: [Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
From: corsac at debian.org (Yves-Alexis Perez)
Date: Sun, 01 Mar 2009 23:35:31 +0100
Message-id: <[🔎] 1235946931.26599.17.camel@hidalgo>
In-reply-to: <[🔎] 20090301124441.39232f75.michael.s.gilbert@gmail.com>
References: <20090225003330.61575858.michael.s.gilbert@gmail.com> <1235544273.30491.28.camel@hidalgo> <20090225020832.c5e68d2e.michael.s.gilbert@gmail.com> <1235549549.17208.4.camel@miria> <[🔎] 20090228223101.80077552.michael.s.gilbert@gmail.com> <[🔎] 1235898987.26599.13.camel@hidalgo> <[🔎] 20090301124441.39232f75.michael.s.gilbert@gmail.com>

On dim, 2009-03-01 at 12:44 -0500, Michael S. Gilbert wrote:
> On Sun, 01 Mar 2009 10:16:27 +0100 wrote:
> 
> > > (although if that's the case, i think that there is a problem
> > > with debian's documentation [1] since it appears to indicate that any
> > > and all security holes are to be reported as grave).
> > 
> > It says ?Most security bugs should also be set at critical or grave
> > severity.?. I guess you missed the ?most??
> 
> yes indeed, i have overlooked that statement.  however, that is to be
> found in the "Tags" and not the "Severity levels" section, so i had
> no reason to look there. 

package: thunar
severity: grave
tags: security

You just discover that ?security? is a tag and not a severity?

>  anyway, "most" means most, and the "non-most"
> category would primarily include no-data-compromise issues such as
> denial-of-services, i believe.

Yes, most means most. Thanks!

> it is in fact trivial to exploit:

I already noticed we disagreed on that.

> attackers have patience and understand the law of large numbers.

Nice quote indeed.
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20090301/15542f26/attachment.pgp

Reply to:

References:
- [Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
  - From: michael.s.gilbert at gmail.com (Michael Gilbert)
- [Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
  - From: corsac at debian.org (Yves-Alexis Perez)
- [Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
  - From: michael.s.gilbert at gmail.com (Michael S. Gilbert)

Prev by Date: [Pkg-xfce-devel] Bug#517548: Bug#517548: orage: Import shouldn't duplicate events with the same UID
Next by Date: [Pkg-xfce-devel] Bug#517548: Bug#517548: orage: Import shouldn't duplicate events with the same UID
Previous by thread: [Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
Next by thread: [Pkg-xfce-devel] Bug#502925: new fonts are not available until all terminals closed
Index(es):
- Date
- Thread