On Tue, 2011-03-08 at 09:03 -0800, Ryan Ware wrote: Hi Ryan,
> kinda scary... we need to pay close attention to these. > > We need to pay extremely close attention to these. These types of > failures are indicative of buffer handling errors. If we aren't > handling these buffers correctly (for whatever reason), then we > will have security issues. Be it tracker-extract's fault or one of > it's dependent libraries, these behaviors are not acceptable in MeeGo. Given some D-Bus love we could probably let tracker-extract run in a chrooted or sandboxed environment. Where it can't do much harm. With Aegis you can further limit the kind of calls that the process is allowed to perform. And of course is a buffer overflow or any other crash a bug that must be fixed. When you open a video then GStreamer also kicks into action. your media player, in other words, has the exact same security problem (Tracker by itself doesn't add a security risk here, Tracker just happens to be the first to use the file as indexing is among its roles). So basically, the reason why they end up in Tracker's bugzilla and not in media player's, is because Tracker is faster than the testers at opening the file first. But yes, yes, bugz must be fixed. Cheers, Philip -- Philip Van Hoof freelance software developer Codeminded BVBA - http://codeminded.be _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev http://wiki.meego.com/Mailing_list_guidelines
