Xarchiver 0.4.6 released

Giuseppe Torelli colossus73 at gmail.com
Wed Nov 29 07:53:00 CET 2006


On 11/29/06, Christoph Wickert <christoph.wickert at nurfuerspam.de> wrote:
> > Also reading
> > src/deb.c, it seems to me that the files in /tmp are not safely
> > created, opening the possibility of a symlink in tmp attack. Maybe
> > the manipulation should be done in a /tmp subdir. I haven't checked
> > the other /tmp use, some look clearly right, for others there is
> > a need to look at the code.

??? Which attack? The .tar.gz file contained in the ar archive is
simply extracted in /tmp and deleted when you close the archive or
when you quit xarchiver. Are you talking about the read permission for
group and others maybe?

> Can somebody please look at this, the code in deb.c looks a little
> suspicious.

Please clarify this statement.

> > $ ldd -u -r /usr/bin/xarchiver
> > Unused direct dependencies:
> >
> >         /usr/lib/libatk-1.0.so.0
> >         /lib/libm.so.6
> >         /usr/lib/libpangocairo-1.0.so.0
> >         /usr/lib/libpango-1.0.so.0
> >         /usr/lib/libcairo.so.2
> >         /lib/libgmodule-2.0.so.0
> >         /lib/libdl.so.2

May someone else help me to share light on this matter? I don't know
what to say here.

> - I patched src/callback.c to use htmlview by default. This fires up the
> browser from Gnome's "preferred applications" (at least on Fedora/Red
> Hat). The patch also includes epiphany, konqueror and seamonkey.

Thank you, I applied the patch:
http://svn.xfce.org/log.php?repname=xfce4&path=%2Fxarchiver%2F&sc=1

-- 
Colossus
Xarchiver, a Linux GTK+2 only archive manager - http://xarchiver.xfce.org
Xscreencast, a DE independent desktop session recorder -
http://xscreencast.berlios.de
Cpsed, a Linux OpenGL 3D scene editor - http://cpsed.sourceforge.net



More information about the Xfce4-dev mailing list