Ben Hutchings wrote: > This is not a security hole. If you can modify a user's ~/.fehbg you > can almost certainly edit other shell scripts in the user's home > feh alone can modify ~/.fehbg. The user changing a wallpaper won't notice that malicious code could be put in his home dir since fehbg is only supposed to change the background, not to interpret code inside filenames. feh does not modify other scripts, though a script in a filename processed by feh could. > directory too. Furthermore, while it is possible for feh to write a > destructive command to ~/.fehbg, it is extremely unlikely that a user > will make it do so accidentally. > Firstly the user may not choose the filename of the image file, for example in case it was sent to him/her by email. Secondly not only "destructive" commands could be put in a file name but anything available on the system (e.g. the entire content of the home dir can easily be sent out somewhere on the internet). And thirdly "unlikely" is not a sensible protection mechanism. > Ben. > > I do not agree _at all_ with your view. Admittedly I have no specific knowledge in security except common sense; I suggest you ask for confirmation about this issue where appropriate though.
Regards Géraud -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
