Re: Security Issue of .desktop files

On mar, 2009-02-24 at 23:36 +, Matthew Johnson wrote: > Speaking as someone with a PhD in computer security (and my PhD was in > this area) I can tell you that trying to use heuristics in order to > determine if something is 'bad' does not, and it's fairly widely > recognised cannot, work. Wel

Re: Bug#516875: ITP: libxfce4menu -- freedesktop.org compliant menu implementation for Xfce

On mer, 2009-02-25 at 09:08 +0900, Charles Plessy wrote: > Hi Yves, by the way, my name is Yves-Alexis. > > by the way, since the name of the XDG was changed to freedesktop.org, it is > maybe better not to use this name directly. > > How about: > > libxfce4menu is a menu implementation for the

Re: ucf: Diversion of /u/b/ucf by etcgit

On Mon, Feb 23 2009, sean finney wrote: > On Mon, Feb 23, 2009 at 09:24:17PM +0100, Frank Küster wrote: >> > (1) I use the >> > hooks provided by apt to get the original files from the >> > package >> >> In other words, with ucf you get NOTHING, since there are no original >> files in the package

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)

Hi, * Noah Slater [2009-02-25 01:32]: > On Tue, Feb 24, 2009 at 09:17:35PM +0100, Holger Levsen wrote: > > > (As Noah Slater pointed out, it's hard to lose a directory on your > > > own machine...) > > > > you can loose access to your machine... > > At which point you may as well call it someone

Re: Bug#516875: ITP: libxfce4menu -- freedesktop.org compliant menu implementation for Xfce

Le Tue, Feb 24, 2009 at 09:58:21AM +0100, Yves-Alexis Perez a écrit : > > > libxfce4menu is an XDG-compliant menu implementation for Xfce > > > Environment. Hi Yves, by the way, since the name of the XDG was changed to freedesktop.org, it is maybe better not to use this name directly. How about:

Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen

Neil Williams schreef: On Tue, 24 Feb 2009 23:07:35 +0100 Sjors Gielen wrote: I'd like to ask you to reopen this bug. I have sent you a patch which fixes debhelper so it can unpack on case insensitive file systems or operating systems. debhelper has in its main directory, next to the regular

Re: Security Issue of .desktop files

On Tue Feb 24 23:44, Yves-Alexis Perez wrote: > On mar, 2009-02-24 at 17:33 -0500, Michael S. Gilbert wrote: > > here is > > a .desktop file that looks like it is iceweasel, but really it > > downloads an essentially random file, but I could have made it do > > pretty much anything. > > Yes, tests

Re: Security Issue of .desktop files

On Tue, 24 Feb 2009 23:44:31 +0100, Yves-Alexis Perez wrote: > > here is > > a .desktop file that looks like it is iceweasel, but really it > > downloads an essentially random file, but I could have made it do > > pretty much anything. > > Yes, tests may need to be narrowed. That should be part of

Re: Security Issue of .desktop files

On mar, 2009-02-24 at 17:33 -0500, Michael S. Gilbert wrote: > here is > a .desktop file that looks like it is iceweasel, but really it > downloads an essentially random file, but I could have made it do > pretty much anything. Yes, tests may need to be narrowed. That should be part of the spec, t

Bug#516991: ITP: dnssec-conf -- DNSSEC and DLV configuration tool

X-Debbugs-Cc: debian-devel@lists.debian.org Package: wnpp Severity: wishlist Owner: "Ondřej Surý" * Package name: dnssec-conf Version : 1.15 Upstream Author : Paul Wouters * URL : http://www.xelerance.com/software/dnssec-conf/ * License : GPLv2+ Programming Lan

Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen

Neil Williams (24/02/2009): > > If I'm correct, OS X may work in case insensitive mode too. > > It's been a while since I used OSX but I certainly remember .DS_Store > directories all over the place and various applications using a mix of > capitalised and lower case directory names. See HFS, HF

Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen

Neil Williams writes: > Sjors Gielen wrote: >> If I'm correct, OS X may work in case insensitive mode too. > It's been a while since I used OSX but I certainly remember .DS_Store > directories all over the place and various applications using a mix of > capitalised and lower case directory name

Re: Security Issue of .desktop files

On Tue, 24 Feb 2009 19:09:42 -0300, Daniel Ruoso wrote: > > > So if a .desktop file appears in the user's Desktop without the x bit > > > set and the user clicks it, it won't get executed.. > > Not exactly. The “safe” .desktop file was in the link I pasted on > > another mail in the thread: > > So

Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen

On Tue, 24 Feb 2009 23:07:35 +0100 Sjors Gielen wrote: > I'd like to ask you to reopen this bug. I have sent you a patch which > fixes debhelper so it can unpack on case insensitive file systems or > operating systems. debhelper has in its main directory, next to the > regular debian directory

Re: Is the FHS dead ?

Luke L writes: > Something to think about: Shouldn't SQL databases and web servers, and > file servers, be under /srv/? /srv/www, /srv/mysql, /srv/smb, etc.? The current FHS reserves /srv's namespace for the local administrator. My guess is that people won't want to go back on that promise and

Re: Security Issue of .desktop files

On mar, 2009-02-24 at 19:09 -0300, Daniel Ruoso wrote: > > So if the launcher use a plain name like "Nude Shots", it will get > executed? Please provide what you think is a bad .desktop and I'll let you know. Or you can try it yourself. Cheers, -- Yves-Alexis signature.asc Description: This i

Re: Security Issue of .desktop files

On Tue, 24 Feb 09 17:36, Daniel Ruoso wrote: > Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu: > > Daniel Ruoso wrote: > > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: > > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > > >>> Last week, an

Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen

Hello Joey and list, I'd like to ask you to reopen this bug. I have sent you a patch which fixes debhelper so it can unpack on case insensitive file systems or operating systems. debhelper has in its main directory, next to the regular debian directory, also a Debian directory which contains P

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 22:53 +0100, Yves-Alexis Perez escreveu: > On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote: > > So if a .desktop file appears in the user's Desktop without the x bit > > set and the user clicks it, it won't get executed.. > Not exactly. The “safe” .desktop file was in th

Re: Security Issue of .desktop files

On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote: > So if a .desktop file appears in the user's Desktop without the x bit > set and the user clicks it, it won't get executed.. Not exactly. The “safe” .desktop file was in the link I pasted on another mail in the thread: /* check if the file

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 16:33 -0500, Michael S. Gilbert escreveu: > I think Yves is saying that the launcher issue is (and always was) > correctly handled in the XFCE desktop. This is a GNOME/KDE-specific > problem. So if a .desktop file appears in the user's Desktop without the x bit set and the u

Re: xcdroast does no longer work with wodim: Who to blame?

Andreas Tscharner writes: > So: xcdroast does no longer work. Who is to blame (Bug entry): xcdroats > or wodim? xcdroast -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact

Re: Security Issue of .desktop files

On Tue, 24 Feb 2009 17:32:57 -0300, Daniel Ruoso wrote: > > By who? The Browser? Fix the browser? > > Please take a look at all the discussion in the bug reports, I don't > think we need to repeat all the argumentation here. I think Yves is saying that the launcher issue is (and always was) corre

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)

On 02/24/2009 02:38 PM, Holger Levsen wrote: Hi, On Dienstag, 24. Februar 2009, Noah Slater wrote: you can loose access to your machine... At which point you may as well call it someone else's machine. I ment loosing/forgetting the passwords Rescue disk!

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 21:43 +0100, Josselin Mouette escreveu: > > I also would suggest that as a migration plan only, where we do turn > > all .desktop files into executables in the future, so we have a > > consistent environment. > What is the purpose of having system .desktop files executable? A

xcdroast does no longer work with wodim: Who to blame?

Hello World, xcdroast is looking for cdrecord, which does no longer exist in Debian Sid (apparently). And wodim does no longer provide a symlink as cdrecord or something (apparently). So: xcdroast does no longer work. Who is to blame (Bug entry): xcdroats or wodim? Best regards And

Re: Security Issue of .desktop files

Le mardi 24 février 2009 à 17:36 -0300, Daniel Ruoso a écrit : > I'm pretty happy with that solution (although I would prefer not having > the "launch anyway"/"mark as trusted" box, but rather simply show the > properties dialog for a non-executable-non-system-wide .desktop file > (but I think that

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)

Hi, On Dienstag, 24. Februar 2009, Noah Slater wrote: > > you can loose access to your machine... > At which point you may as well call it someone else's machine. I ment loosing/forgetting the passwords or the keys. regards, Holger signature.asc Description: This is a digitally signed

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu: > Daniel Ruoso wrote: > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > >>> Last week, an old security issue in desktop environments went through

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 20:27 +0100, Yves-Alexis Perez escreveu: > By who? The Browser? Fix the browser? Please take a look at all the discussion in the bug reports, I don't think we need to repeat all the argumentation here. daniel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.o

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden?directories (forced browsing)

On Tue, Feb 24, 2009 at 09:17:35PM +0100, Holger Levsen wrote: > > (As Noah Slater pointed out, it's hard to lose a directory on your > > own machine...) > > you can loose access to your machine... At which point you may as well call it someone else's machine. -- Noah Slater, http://tumbolia.org

Bug#516976: ITP: clive-utils -- additional utilities for clive

Package: wnpp Severity: wishlist Owner: Damyan Ivanov * Package name: clive-utils Version : 2.1.3 Upstream Author : Toni Gundogdu * URL : http://code.google.com/p/clive-utils/ * License : BSD Programming Lang: Perl Description : additional utilities fo

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

Hi, On Dienstag, 24. Februar 2009, Ron Johnson wrote: > The apps you specify have obvious non-abusive uses. What (besides > penetration testing) are such uses for w3bfukk0r? penetration testing is a useful use. you might even do it for others. > (As Noah Slater pointed out, it's hard to lose a

Bug#516972: ITP: vilistextum -- a HTML to text converter

Package: wnpp Severity: wishlist Owner: "Siegfried-Angel Gevatter Pujals" * Package name: vilistextum Version : 2.6.7 Upstream Author : Patric Müller * URL : http://bhaak.dyndns.org/vilistextum/ * License : GPLv2 Programming Lang: C Description : a HTM

Re: Security Issue of .desktop files

Daniel Ruoso wrote: > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : >>> Last week, an old security issue in desktop environments went through a >>> widely public discussion (including on slashdot)[1][2]. As I said, th

Re: Whoos with GnuTLS and md5-signed certificates

* Florian Weimer: > Would those who have an interest in this topic please test the patch > in > > > > and report if it improves things for them? Thanks. For the record, it's very likely that we are soon to release updates

Re: Security Issue of .desktop files

On mar, 2009-02-24 at 16:11 -0300, Daniel Ruoso wrote: > The issue here is about recognizing that .desktop files are executables, > and, as such, must have the x bit set in order to be executed. Depending who executes its. On Xfce, a suspected malicious file won't be executed. > Consider > the u

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 19:53 +0100, Yves-Alexis Perez escreveu: > On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote: > > Last week, an old security issue in desktop environments went through a > > widely public discussion (including on slashdot)[1][2]. As I said, this > > issue is not new[3], bu

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On 02/24/2009 08:13 AM, Jon Dowland wrote: On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote: But what (besides web crawling) is the (legal) purpose of that? And why does it need a word list? It seems to me that this tool is as open to abuse as nmap, ping, wget, and several other ap

Re: Security Issue of .desktop files

On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote: > Last week, an old security issue in desktop environments went through a > widely public discussion (including on slashdot)[1][2]. As I said, this > issue is not new[3], but there seem to be no action on the upstream to > fix it. In Xfce this

Re: Security Issue of .desktop files

Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: > Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > > Last week, an old security issue in desktop environments went through a > > widely public discussion (including on slashdot)[1][2]. As I said, this > > issue is not new

Re: Security Issue of .desktop files

Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > Last week, an old security issue in desktop environments went through a > widely public discussion (including on slashdot)[1][2]. As I said, this > issue is not new[3], but there seem to be no action on the upstream to > fix it. On t

Security Issue of .desktop files

Hello, Last week, an old security issue in desktop environments went through a widely public discussion (including on slashdot)[1][2]. As I said, this issue is not new[3], but there seem to be no action on the upstream to fix it. After taking an extensive look in all the history of this discussio

Re: handling group membership in and outside d-i

On Tue, Feb 24, 2009 at 6:11 AM, Jon Dowland wrote: > Hi folks, > > I filed a bug against gnome-power-manager a little while > ago because I could not suspend. It turned out my user was > not in the powerdev group. Hi, there are already some bugs open about this, because it's obviously an annoyin

Come join me on Motorcycle Accessories Warehouse

Motorcycle Accessories Warehouse: motorcycle accessories, motorcycle accessories warehouse, wholesale motorcycle a this may be of interest for you so please do visit it. Click the link below to Join: http://motohart.ning.com/?xgi=b6jveyp If your email program doesn't recogn

Re: Is the FHS dead ?

On Tue, Feb 24, 2009 at 08:20:31AM -0600, Gunnar Wolf wrote: > > Interesting. And yes, illustrative of the historically (and, should I > add, ridiculous? No, I'd better not ;-) ) rivality between Linux and > the *BSDs, big egos included. Well, the last time we tried to make reasonable accomodati

Re: Is the FHS dead ?

On Tue, Feb 24, 2009 at 9:46 PM, Luke L wrote: > Something to think about: Shouldn't SQL databases and web servers, and > file servers, be under /srv/? /srv/www, /srv/mysql, /srv/smb, etc.? The bikeshed shall be coloured 'yes'. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE

handling group membership in and outside d-i

Hi folks, I filed a bug against gnome-power-manager a little while ago because I could not suspend. It turned out my user was not in the powerdev group. It was Joss' initial belief that the non-root user that you create in d-i is added to a fixed set of groups, including powerdev. For the remaind

Re: Is the FHS dead ?

Theodore Tso dijo [Fri, Feb 20, 2009 at 11:57:32PM -0500]: > Well, realistically we didn't have very good participation from anyone > other than one or two *BSD folks, and at the time some of the changes > that were made for compatibility with *BSD (and, to be fair, to be > closer to the rest of th

Re: Bug#516659: ITP: w3bfukk0r -- scan webservers for hidden directories (forced browsing)

On Sun, Feb 22, 2009 at 07:27:43PM -0600, Ron Johnson wrote: > But what (besides web crawling) is the (legal) purpose of > that? And why does it need a word list? It seems to me that this tool is as open to abuse as nmap, ping, wget, and several other apps we distribute. -- Jon Dowland signa

link exchainge request

*Plz Add My Id* {*nitinrana.anewin...@gmail.com*} Thanks

Re: Is the FHS dead ?

On Mon, Feb 16, 2009 at 4:14 AM, Josselin Mouette wrote: > Hi, > > I wanted to discuss the python-support directory tree location (and > similar issues) with the FHS maintainers, however it occurred to me that > the mailing list is completely dead, and the standard doesn’t seem very > alive either

Bug#516898: ITP: scheme9 -- Scheme 9 from Empty Space R4RS Scheme interpreter

Package: wnpp Severity: wishlist Owner: "Barak A. Pearlmutter" * Package name: scheme9 Version : 2009.02.09 Upstream Author : Nils M Holm * URL : http://t3x.org/s9fes/ * License : ideosyncratic near-MIT/X Programming Lang: C, Scheme Description : Sche

Re: Refactoring the Debtags web interface

On mar, 2009-02-24 at 10:27 +, Enrico Zini wrote: > I can implement OpenID in a new Debtags web application, but people > would have to get their identities out of something like their blogs. > We could implement a Debian OpenID provider, but it'll have to be > something else than the normal us

Re: Refactoring the Debtags web interface

On Mon, Feb 23, 2009 at 10:19:21PM -0500, Sam Hartman wrote: > I find it deeply ironic that I'm arguing against security. However, > let's remember that we're talking about debtags. It's always > important to think about your threat model and about how much > complexity you're willing to spend i

Bug#516880: ITP: argvalidate -- simple argument validator library for Python

Package: wnpp Severity: wishlist Owner: Stephan Peijnik * Package name: argvalidate Version : 0.8.0 Upstream Author : Stephan Peijnik * URL : http://bitbucket.org/sp/python-argvalidate * License : GPL Programming Lang: Python Description : simple argum

Re: Bug#516875: ITP: libxfce4menu -- freedesktop.org compliant menu implementation for Xfce

On mar, 2009-02-24 at 09:05 +0100, Andreas Tille wrote: > > libxfce4menu is an XDG-compliant menu implementation for Xfce > Desktop > > Environment. > > Could you please be a little bit more verbose. I had the (maybe > wrong) > assumption that xfce4 would be XDG-compliant without any additional >

Re: Bug#516875: ITP: libxfce4menu -- freedesktop.org compliant menu implementation for Xfce

On Tue, 24 Feb 2009, Yves-Alexis Perez wrote: * Package name: libxfce4menu Version : 4.6.0 Upstream Author : Jannis Pohlmann * URL : http://www.xfce.org.org/ * License : GPL-2+ Programming Lang: C Description : freedesktop.org compliant menu implementati