forwarded 492282 http://bugzilla.gnome.org/show_bug.cgi?id=544672 thanks
Le jeudi 24 juillet 2008 à 22:56 +0200, Stefan Fritsch a écrit : > Package: seahorse > Version: 2.22.3-1 > Severity: normal > Tags: security > > Seahorse leaks file descriptors to processes started with "seahorse-agent > --execute", including the gpg agent listening socket. For the default setup, > this means that all processes started from the desktop inherit those FDs and > can > possibly use them. This can be a security issue because the FDs are also > inherited to processes started with su as a different user which normally > would > not have access to gpg key and gpg agent socket. > > Seahorse should use fcntl to set FD_CLOEXEC on its FDs. Indeed, this can easily be confirmed by looking at gnome-session’s file descriptors. However it seems that gnome-session itself correctly closes the file descriptors before spawning anything else, so they are not leaked further. What makes you think all desktop processes will inherit from them? Cheers, -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `- our own. Resistance is futile.
signature.asc
Description: Ceci est une partie de message numériquement signée

