Ben Hutchings wrote: > On Mon, 2008-04-07 at 10:30 +0200, Géraud Meyer wrote: > >> Ben Hutchings wrote: >> >>> This is not a security hole. >>> >> If you can modify a user's ~/.fehbg you >> >>> can almost certainly edit other shell scripts in the user's home >>> >>> >> feh alone can modify ~/.fehbg. The user changing a wallpaper won't >> notice that malicious code could be put in his home dir since fehbg is >> only supposed to change the background, not to interpret code inside >> filenames. feh does not modify other scripts, though a script in a >> filename processed by feh could. >> > > However, the user has to take a series of positive actions for an > exploit to succeed: they must modify their session script, open the > specific image, and set it as background. > Modifying the session script is recommended by the man page! This is the normal procedure to have the wallpaper restored at starup of the X session. Yes the user has to take positive actions as is the case for most of exploits that are not network related. > >>> directory too. Furthermore, while it is possible for feh to write a >>> destructive command to ~/.fehbg, it is extremely unlikely that a user >>> will make it do so accidentally. >>> >>> >> Firstly the user may not choose the filename of the image file, for >> example in case it was sent to him/her by email. >> > > Of course. But the filename is visible to the user, is it not? > > I suppose this is a security hole, but since it requires positive > actions by the user (unlike, say, exploiting creation of temporary files > which the user is not aware of) I don't believe it is grave. > The user is not aware of the bug of feh so that even if he/she notices the odd filename -- and an average user of a graphical application is not supposed to recognize a shell script -- setting it as a wallpaper is still safe to his/her knowledge. Exploiting creation of temporary files is very similar to this weakness. As I understand it you mean that since this bug is so obviously a security issue, it should not be because everybody should identify the weakness and stop action! > Ben. > >
Still not convinced. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
