xfce 4.4.2 test packages ready

Brian J. Tarricone bjt23 at cornell.edu
Sun Nov 18 09:07:14 CET 2007

On Sun, 18 Nov 2007 09:47:33 +0200 Eren Türkay wrote:

> On Sunday 18 November 2007 09:30:18 Brian J. Tarricone wrote:
> > 1.  I disagree with their severity rating of 'High'.  An attacker
> > has to a) somehow get a URL to display in Terminal, which is
> > difficult (I don't imagine too many people run a text-mode web
> > browser or interact with *too* much untrusted data in a terminal),
> > and then, the user has to middle-click on it (not just click;
> > middle-click), which is of rather low to medium probability.  Note
> > that the kinds of people who are foolish enough to click on links
> > of that nature are not the kinds of people who would end up using
> > Terminal all that much.  Yes, it should be fixed.  Is it that big a
> > deal?  No.
> If user is using "irssi" or "weechat" with Terminal and someone gives
> an url which is confusing like "http://foo/bar.php?some=s&{rm -rf
> ~/}, how a user can be aware of this?
> Is it a big deal? *Exactly* Yes!

No, it's not.  In my book, any exploit that requires the user to do
something like click a link or open a file -- especially for the kind
of likely-moderately-advanced user that's going to be using irssi or
weechat -- is low-risk.  The kind of user that just clicks on random
links without thinking about what they might do will use x-chat (or
probably won't even know what IRC is at all).  Your opinion may differ;
that's fine.

Regardless, this discussion is moot: I've removed Terminal from the new
pacakges (since it's not necessary like exo and Thunar are), and
there'll be a new release when Benny gets around to it.


More information about the Xfce4-dev mailing list