Send Notepad-plus-plus mailing list submissions to
        notepad-plus-plus@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/notepad-plus-plus
or, via email, send a message with subject or body 'help' to
        [EMAIL PROTECTED]

You can reach the person managing the list at
        [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Notepad-plus-plus digest..."


Today's Topics:

   1. [notepad-plus - Open Discussion] RE: Regular      expression
      (SourceForge.net)
   2. [notepad-plus - Open Discussion] Notepad++        updater security
      issue (SourceForge.net)
   3. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)
   4. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)
   5. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)
   6. [notepad-plus - Plugin Development] RE:   CCompletion 1.08
      (SourceForge.net)
   7. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)
   8. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)
   9. [notepad-plus - Open Discussion] does N++ suport html tool
      bar like editplus ? (SourceForge.net)
  10. [notepad-plus - Help] RE: multi-line tabs (SourceForge.net)
  11. [notepad-plus - Open Discussion] Problem with     clipboard data
      (SourceForge.net)
  12. [notepad-plus - Open Discussion] RE: Notepad++    updater
      security issue (SourceForge.net)


----------------------------------------------------------------------

Message: 1
Date: Wed, 30 Jul 2008 20:45:53 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Regular expression
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134043
By: nobody

Ok but non-greedy capture "one (.*?) two" syntax I take here
http://www.davidtan.org/greedy-and-non-greedy-regex-rule-and-matches/
doesn't work

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 2
Date: Wed, 30 Jul 2008 23:52:08 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion]
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134373
By: donho

A software named evilgrade demonstrated the vulnerable auto-upgrade issue :
http://www.thetechherald.com/article.php/200831/1598/Kaminsky-DNS-flaw-used-as-a
n-example-in-testing-of-Evilgrade

Generic UPdater (another GPL project, written by me) is used by Notepad++ to
do its auto-update :
https://sourceforge.net/projects/gup-w32/
http://gup-w32.sourceforge.net/
http://gup-w32.sourceforge.net/images/gup_howToWork.png

Obviously, Notepad++ will have the security issue due to GUP.

If anyone have idea to enhance GUP security issue, please let me know.

Don


______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 3
Date: Thu, 31 Jul 2008 00:08:40 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134400
By: snemarch

Digitally sign releases...

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 4
Date: Thu, 31 Jul 2008 00:19:19 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134410
By: donho

I guess you're talking about to sign the binary, then release the signed binary
with its public key.

Embedding the public key in a signed executable only prevents the executable
from being modified.
An attacker could simply supply a different executable with his own key embedded
in it.

So digital sign release is not a solution for Man-in-the-middle attack issue.

Don

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 5
Date: Thu, 31 Jul 2008 00:32:28 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134432
By: snemarch

Well, you distribute the pubkey with Notepad++ - if a user manages to get an
un-exploited version once, the pubkey there keeps him safe from that point on.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 6
Date: Thu, 31 Jul 2008 00:44:59 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Plugin Development] RE:
        CCompletion 1.08
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134449
By: mishail

Thanks a lot for great plugin. 
I've faced one issue though. When I'm using F12 and the definition of the 
identifier
under cursor is stored in the different file (not that I'm editing), and that
different file is not opened in N++, then i get "History function failure"
dialog.

Steps to reproduce.
1. 1 source file is opened in N++
2. Select identifier defined in other file (which is not yet opened) and press
f12
3. New N++ tab appears with that file and then "History function failure" dialog
immediately.
4. Press OK in error dialog => the tab with 1st document gets focus (no 
identifier
selected in 2nd tab).
5. Press F12 again (the other file is opened in 2nd tab now) => identifier's
definition is opened in secondary view in 1st tab.

I have the similar setup of N++ on different PC and there is no such issue.
What can be it related to?

Thanks in advance. Great work.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=482781



------------------------------

Message: 7
Date: Thu, 31 Jul 2008 01:04:39 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134469
By: donho

It's Generic UPdater (GUP) who does the whole update job but not notepad++ :
Notepad++ just launches GUP, 
GUP checks on a specific url (defined in a xml file) to see if there's a new
version available.
if yes, it gets full url to download the install package, then execute
the installer.

So afaics, signing Notepad++ and distribute the public key with it won't keep
user from man-in-the-middle attack.
Or I do misunderstand you completely?

Don

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 8
Date: Thu, 31 Jul 2008 02:43:38 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134633
By: snemarch

GUP shouldn't rely on pubkey posted on web site - if DNS cache has been 
poisoned,
attacker has control of what GUP sees there :). But it would probably be a good
idea put the pubkey on some keyserver that has authenticity in place.

Don't simply encrypt/decrypt the distributed file, *sigh* it. Probably a bit
cpu-intensive doing pubkey decryption of something as (relatively) big as a
NP++ release, anyway ;). Don't roll your own, use recognized and test libraries.
And get somebody good with crypto to review the scheme before launching, there's
a lot of pitfalls. I'm not claiming to be a crypto expert here, I just hope
I know enough to avoid the most common pitfalls.

And as I understand the exploit, it's not really about sourceforge's nameservers
being patched. You find out which nameservers your *victim* are using, then
you poison those. In case you find a big ISP with unpatched DNS, you have a
lot of potential victims.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 9
Date: Thu, 31 Jul 2008 07:03:28 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] does N++
        suport html tool bar like editplus ?
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5135058
By: nobody

Hi, 

N++ so amazing.
It's a great edit tool than others.

down N++ support html tool bar ?

thanks.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 10
Date: Thu, 31 Jul 2008 07:09:29 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Help] RE: multi-line tabs
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5135068
By: mcfang

I've been using Notepad++ for several weeks now and I'm still finding this 
behavour
very confusing.

When I have enough files open to have multiple tab lines the usual action I
want to do is move between two open files easily, but when it moves the 
tab-lines
around with each selection it makes it difficult to find where the old line
has moved to.

I know Editplus2 keeps the tab lines static, and it feels very intuitive.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331754



------------------------------

Message: 11
Date: Thu, 31 Jul 2008 07:44:25 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] Problem
        with    clipboard data
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5135133
By: nobody


I will explain my problem by easy way

have trhee rows

tablename1
tablename2
tablename3

now in the clipboard I have the string "insert into " and want to put it on
the beginning by macro. So by CTRL+SHIFT R and push CTRL+V on the first row
and then finish macro recording.

Go to next row and want to put the string there by macro. It will create this

insert into tablename1
i[NUL]<AutoCompltablename2
tablename3

Also when I am inserting some text from clipbouard from excel, outlook then
there are many of NUL and some symbols. What I remmember this issue was in 4.9
version. Then I installed the 5.0 beta and the problem was solved. But now in
5.0.2 I have the issue again.

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

Message: 12
Date: Thu, 31 Jul 2008 01:13:18 +0000
From: "SourceForge.net" <[EMAIL PROTECTED]>
Subject: [Notepad-plus-plus] [notepad-plus - Open Discussion] RE:
        Notepad++       updater security issue
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="UTF-8"


Read and respond to this message at: 
https://sourceforge.net/forum/message.php?msg_id=5134483
By: snemarch

Haven't looked into GUP, sorry, but it was my impression that it gets it's
configuration (server to contact, what more?) from a *local* .xml file? Your
pubkey (you could either use one per-project, or just a single "Don Ho" key)
would be stored in the .xml, and GUP would be updated to use this.

Also, requiring HTTPS:// connections to the update server could help mitigate
the problem. But then you do face the dilemma of either getting a CA-signed
cert ($$$) or using a self-signed key (which seems suspicious to most people).
And if you don't have server id fingerprint in the .xml file, it doesn't help
much (blindly trusting certs just because they're CA-signed is a bad idea).

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit: 
https://sourceforge.net/forum/unmonitor.php?forum_id=331753



------------------------------

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

------------------------------

_______________________________________________
Notepad-plus-plus mailing list
Notepad-plus-plus@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/notepad-plus-plus


End of Notepad-plus-plus Digest, Vol 26, Issue 68
*************************************************

Reply via email to