xfce 4.4.2 test packages ready
Brian J. Tarricone
bjt23 at cornell.edu
Sun Nov 18 09:07:14 CET 2007
On Sun, 18 Nov 2007 09:47:33 +0200 Eren Türkay wrote:
> On Sunday 18 November 2007 09:30:18 Brian J. Tarricone wrote:
> > 1. I disagree with their severity rating of 'High'. An attacker
> > has to a) somehow get a URL to display in Terminal, which is
> > difficult (I don't imagine too many people run a text-mode web
> > browser or interact with *too* much untrusted data in a terminal),
> > and then, the user has to middle-click on it (not just click;
> > middle-click), which is of rather low to medium probability. Note
> > that the kinds of people who are foolish enough to click on links
> > of that nature are not the kinds of people who would end up using
> > Terminal all that much. Yes, it should be fixed. Is it that big a
> > deal? No.
>
> If user is using "irssi" or "weechat" with Terminal and someone gives
> an url which is confusing like "http://foo/bar.php?some=s&{rm -rf
> ~/}, how a user can be aware of this?
>
> Is it a big deal? *Exactly* Yes!
No, it's not. In my book, any exploit that requires the user to do
something like click a link or open a file -- especially for the kind
of likely-moderately-advanced user that's going to be using irssi or
weechat -- is low-risk. The kind of user that just clicks on random
links without thinking about what they might do will use x-chat (or
probably won't even know what IRC is at all). Your opinion may differ;
that's fine.
Regardless, this discussion is moot: I've removed Terminal from the new
pacakges (since it's not necessary like exo and Thunar are), and
there'll be a new release when Benny gets around to it.
-brian
More information about the Xfce4-dev
mailing list