On Thu, Nov 30, 2006 at 02:15:42PM +0100, Andreas Barth wrote: > * Thomas Dickey ([EMAIL PROTECTED]) [061130 14:12]: > > On Thu, Nov 30, 2006 at 01:46:31PM +0100, Guus Sliepen wrote: > > > I didn't know PERSONAL_MAILCAP was run-time configurable (it looks > > > a #define to me). If apt-get source wasn't segfaulting at the moment I'd > > > > It's a #define. But the change to use the home directory is in the > > wrong place. I'd point out that it doesn't solve the problem, and > > that the program is still subject to the same issue as reported, but > > that would be redundant. > > So, what do you think would be the appropriate behaviour? I don't mind > changing the behaviour to something which sounds sensible for you too, > but - taking the files from the cwd opens up a can of issues.
yes - I agreed with that, but also pointed out that there wasn't a check to ensure that the file is not world-writable, etc. That's something that the various shell programs do for example - iirc csh won't use .cshrc if you don't own it (for at least some systems ;-). It would be nice to ensure that the global mailcap/mime.types files also are secure, but that's harder to do (portably) since you can't assume much about the ownership of the file. But I did at least ensure that those are absolute pathnames. > > I've noticed that my comments to followup on the lynx bug reports are > > ignored by the package maintainer as well as the security team. > > I'm sorry, but I didn't see any comments from you on this bug report - > though perhaps I didn't look deep enough. It was moved from another number, where I pointed out that most of the given examples were still true for the user's home directory. However, my remark about ignored comments applies to last couple of years. Anyway, compare with the patch I made a couple of weeks ago. -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net
pgpdqmEqi59dK.pgp
Description: PGP signature
