On Tue, 24 Feb 2009 23:36:38 +
Matthew Johnson wrote:
> On Tue Feb 24 23:44, Yves-Alexis Perez wrote:
> > On mar, 2009-02-24 at 17:33 -0500, Michael S. Gilbert wrote:
> > > here is
> > > a .desktop file that looks like it is iceweasel, but really it
> > > downloads an essentially random file,
Le mardi 24 février 2009 à 22:53 +0100, Yves-Alexis Perez a écrit :
> Not exactly. The “safe” .desktop file was in the link I pasted on
> another mail in the thread:
>
> /* check if the file tries to look like a regular document (i.e.
> * a display name of 'file.png'), maybe a virus or other ma
On mar, 2009-02-24 at 23:36 +, Matthew Johnson wrote:
> Speaking as someone with a PhD in computer security (and my PhD was in
> this area) I can tell you that trying to use heuristics in order to
> determine if something is 'bad' does not, and it's fairly widely
> recognised cannot, work.
Wel
On Tue Feb 24 23:44, Yves-Alexis Perez wrote:
> On mar, 2009-02-24 at 17:33 -0500, Michael S. Gilbert wrote:
> > here is
> > a .desktop file that looks like it is iceweasel, but really it
> > downloads an essentially random file, but I could have made it do
> > pretty much anything.
>
> Yes, tests
On Tue, 24 Feb 2009 23:44:31 +0100, Yves-Alexis Perez wrote:
> > here is
> > a .desktop file that looks like it is iceweasel, but really it
> > downloads an essentially random file, but I could have made it do
> > pretty much anything.
>
> Yes, tests may need to be narrowed. That should be part of
On mar, 2009-02-24 at 17:33 -0500, Michael S. Gilbert wrote:
> here is
> a .desktop file that looks like it is iceweasel, but really it
> downloads an essentially random file, but I could have made it do
> pretty much anything.
Yes, tests may need to be narrowed. That should be part of the spec,
t
On Tue, 24 Feb 2009 19:09:42 -0300, Daniel Ruoso wrote:
> > > So if a .desktop file appears in the user's Desktop without the x bit
> > > set and the user clicks it, it won't get executed..
> > Not exactly. The “safe” .desktop file was in the link I pasted on
> > another mail in the thread:
>
> So
On mar, 2009-02-24 at 19:09 -0300, Daniel Ruoso wrote:
>
> So if the launcher use a plain name like "Nude Shots", it will get
> executed?
Please provide what you think is a bad .desktop and I'll let you know.
Or you can try it yourself.
Cheers,
--
Yves-Alexis
signature.asc
Description: This i
On Tue, 24 Feb 09 17:36, Daniel Ruoso wrote:
> Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu:
> > Daniel Ruoso wrote:
> > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu:
> > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
> > >>> Last week, an
Em Ter, 2009-02-24 às 22:53 +0100, Yves-Alexis Perez escreveu:
> On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote:
> > So if a .desktop file appears in the user's Desktop without the x bit
> > set and the user clicks it, it won't get executed..
> Not exactly. The “safe” .desktop file was in th
On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote:
> So if a .desktop file appears in the user's Desktop without the x bit
> set and the user clicks it, it won't get executed..
Not exactly. The “safe” .desktop file was in the link I pasted on
another mail in the thread:
/* check if the file
Em Ter, 2009-02-24 às 16:33 -0500, Michael S. Gilbert escreveu:
> I think Yves is saying that the launcher issue is (and always was)
> correctly handled in the XFCE desktop. This is a GNOME/KDE-specific
> problem.
So if a .desktop file appears in the user's Desktop without the x bit
set and the u
On Tue, 24 Feb 2009 17:32:57 -0300, Daniel Ruoso wrote:
> > By who? The Browser? Fix the browser?
>
> Please take a look at all the discussion in the bug reports, I don't
> think we need to repeat all the argumentation here.
I think Yves is saying that the launcher issue is (and always was)
corre
Em Ter, 2009-02-24 às 21:43 +0100, Josselin Mouette escreveu:
> > I also would suggest that as a migration plan only, where we do turn
> > all .desktop files into executables in the future, so we have a
> > consistent environment.
> What is the purpose of having system .desktop files executable?
A
Le mardi 24 février 2009 à 17:36 -0300, Daniel Ruoso a écrit :
> I'm pretty happy with that solution (although I would prefer not having
> the "launch anyway"/"mark as trusted" box, but rather simply show the
> properties dialog for a non-executable-non-system-wide .desktop file
> (but I think that
Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu:
> Daniel Ruoso wrote:
> > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu:
> >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
> >>> Last week, an old security issue in desktop environments went through
Em Ter, 2009-02-24 às 20:27 +0100, Yves-Alexis Perez escreveu:
> By who? The Browser? Fix the browser?
Please take a look at all the discussion in the bug reports, I don't
think we need to repeat all the argumentation here.
daniel
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.o
Daniel Ruoso wrote:
> Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu:
>> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
>>> Last week, an old security issue in desktop environments went through a
>>> widely public discussion (including on slashdot)[1][2]. As I said, th
On mar, 2009-02-24 at 16:11 -0300, Daniel Ruoso wrote:
> The issue here is about recognizing that .desktop files are executables,
> and, as such, must have the x bit set in order to be executed.
Depending who executes its. On Xfce, a suspected malicious file won't be
executed.
> Consider
> the u
Em Ter, 2009-02-24 às 19:53 +0100, Yves-Alexis Perez escreveu:
> On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote:
> > Last week, an old security issue in desktop environments went through a
> > widely public discussion (including on slashdot)[1][2]. As I said, this
> > issue is not new[3], bu
On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote:
> Last week, an old security issue in desktop environments went through a
> widely public discussion (including on slashdot)[1][2]. As I said, this
> issue is not new[3], but there seem to be no action on the upstream to
> fix it.
In Xfce this
Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu:
> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
> > Last week, an old security issue in desktop environments went through a
> > widely public discussion (including on slashdot)[1][2]. As I said, this
> > issue is not new
Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit :
> Last week, an old security issue in desktop environments went through a
> widely public discussion (including on slashdot)[1][2]. As I said, this
> issue is not new[3], but there seem to be no action on the upstream to
> fix it.
On t
23 matches
Mail list logo
