[SECURITY] [DSA 643-1] New queue packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 643-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: queue Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0555 jaguar of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. For the stable distribution (woody) these problems have been fixed in version 1.30.1-4woody2. For the unstable distribution (sid) these problems have been fixed in version 1.30.1-5. We recommend that you upgrade your queue package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.dsc Size/MD5 checksum: 582 24c706e1af4baa9e8ac3dc02c8d72dce http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.diff.gz Size/MD5 checksum:42917 cb036472a17be964822cd1748dff9c5f http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1.orig.tar.gz Size/MD5 checksum: 699770 82dd2a37f9c3d5f977afc0a990c9c648 Alpha architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_alpha.deb Size/MD5 checksum: 134242 cf2f009836139723d0b9eeccf6497e89 ARM architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_arm.deb Size/MD5 checksum: 112840 f2ee06cf9103664ae7dd631ff9cc5173 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_i386.deb Size/MD5 checksum: 108874 777f71c6cf3136e7143094f9ba4507f7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_ia64.deb Size/MD5 checksum: 151766 caa6d74226f7ad6ebfbb50402b366693 HP Precision architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_hppa.deb Size/MD5 checksum: 116304 145964aa0dfd6fe42f6a67104af370a5 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_m68k.deb Size/MD5 checksum: 105868 d9035e0b49e56257444d1445b9f2b48a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mips.deb Size/MD5 checksum: 117588 1d67e473d49dcfc3e6b8c083976ee22a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mipsel.deb Size/MD5 checksum: 118012 721e4a42ae02098ff7acd6fbe60934c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_powerpc.deb Size/MD5 checksum: 112670 a294d33370973324ef46a8beaf20880a IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_s390.deb Size/MD5 checksum: 112492 799fe37a8371ab10c4fb78298b054b8e Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_sparc.deb Size/MD5 checksum: 123792 6a6685be2847e8c50c71712b80b05c2c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7MfgW5ql+IAeqTIRAk5gAKCiF4/BxJKCS9sO/unLnxk20Q/IkwCgp1pG HTFfGLLM5sBKoRYUI5VqR3Y= =LOOJ -END PGP SIGNATURE-
Re: [SECURITY] [DSA 643-1] New queue packages fix buffer overflows
Hello Martin, Just wanted to let you know that the last two announcements you sent appear as blank messages in Thunderbrid with an unnamed attachment - perhaps due to the initial blank Content-Type: header. David On Tue, 18 Jan 2005, Martin Schulze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 643-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: queue Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0555 jaguar of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. For the stable distribution (woody) these problems have been fixed in version 1.30.1-4woody2. For the unstable distribution (sid) these problems have been fixed in version 1.30.1-5. We recommend that you upgrade your queue package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.dsc Size/MD5 checksum: 582 24c706e1af4baa9e8ac3dc02c8d72dce http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.diff.gz Size/MD5 checksum:42917 cb036472a17be964822cd1748dff9c5f http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1.orig.tar.gz Size/MD5 checksum: 699770 82dd2a37f9c3d5f977afc0a990c9c648 Alpha architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_alpha.deb Size/MD5 checksum: 134242 cf2f009836139723d0b9eeccf6497e89 ARM architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_arm.deb Size/MD5 checksum: 112840 f2ee06cf9103664ae7dd631ff9cc5173 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_i386.deb Size/MD5 checksum: 108874 777f71c6cf3136e7143094f9ba4507f7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_ia64.deb Size/MD5 checksum: 151766 caa6d74226f7ad6ebfbb50402b366693 HP Precision architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_hppa.deb Size/MD5 checksum: 116304 145964aa0dfd6fe42f6a67104af370a5 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_m68k.deb Size/MD5 checksum: 105868 d9035e0b49e56257444d1445b9f2b48a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mips.deb Size/MD5 checksum: 117588 1d67e473d49dcfc3e6b8c083976ee22a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mipsel.deb Size/MD5 checksum: 118012 721e4a42ae02098ff7acd6fbe60934c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_powerpc.deb Size/MD5 checksum: 112670 a294d33370973324ef46a8beaf20880a IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_s390.deb Size/MD5 checksum: 112492 799fe37a8371ab10c4fb78298b054b8e Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_sparc.deb Size/MD5 checksum: 123792 6a6685be2847e8c50c71712b80b05c2c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7MfgW5ql+IAeqTIRAk5gAKCiF4/BxJKCS9sO/unLnxk20Q/IkwCgp1pG HTFfGLLM5sBKoRYUI5VqR3Y= =LOOJ -END PGP SIGNATURE- -- | /+\ \| | | David
Re: [SECURITY] [DSA 643-1] New queue packages fix buffer overflows
Same problem with evolution 2.0.3 On Tue, 2005-01-18 at 05:25 -0500, David wrote: Hello Martin, Just wanted to let you know that the last two announcements you sent appear as blank messages in Thunderbrid with an unnamed attachment - perhaps due to the initial blank Content-Type: header. David On Tue, 18 Jan 2005, Martin Schulze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 643-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: queue Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0555 jaguar of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. For the stable distribution (woody) these problems have been fixed in version 1.30.1-4woody2. For the unstable distribution (sid) these problems have been fixed in version 1.30.1-5. We recommend that you upgrade your queue package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.dsc Size/MD5 checksum: 582 24c706e1af4baa9e8ac3dc02c8d72dce http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2.diff.gz Size/MD5 checksum:42917 cb036472a17be964822cd1748dff9c5f http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1.orig.tar.gz Size/MD5 checksum: 699770 82dd2a37f9c3d5f977afc0a990c9c648 Alpha architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_alpha.deb Size/MD5 checksum: 134242 cf2f009836139723d0b9eeccf6497e89 ARM architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_arm.deb Size/MD5 checksum: 112840 f2ee06cf9103664ae7dd631ff9cc5173 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_i386.deb Size/MD5 checksum: 108874 777f71c6cf3136e7143094f9ba4507f7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_ia64.deb Size/MD5 checksum: 151766 caa6d74226f7ad6ebfbb50402b366693 HP Precision architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_hppa.deb Size/MD5 checksum: 116304 145964aa0dfd6fe42f6a67104af370a5 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_m68k.deb Size/MD5 checksum: 105868 d9035e0b49e56257444d1445b9f2b48a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mips.deb Size/MD5 checksum: 117588 1d67e473d49dcfc3e6b8c083976ee22a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_mipsel.deb Size/MD5 checksum: 118012 721e4a42ae02098ff7acd6fbe60934c7 PowerPC architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_powerpc.deb Size/MD5 checksum: 112670 a294d33370973324ef46a8beaf20880a IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_s390.deb Size/MD5 checksum: 112492 799fe37a8371ab10c4fb78298b054b8e Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/queue/queue_1.30.1-4woody2_sparc.deb Size/MD5 checksum: 123792 6a6685be2847e8c50c71712b80b05c2c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Martin Schulze wrote: This message was modified by F-Secure Anti-Virus E-Mail Scanning. This is what F-Secure gave me. Martin do you send viruses? ;) Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
test tir, 18,.01.2005 kl. 10.41 +0100, skrev Martin Schulze: plain text document-vedlegg -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 644-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 18th, 2005 http://www.debian.org/security/faq - -- Package: chbg Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE ID : CAN-2004-1264 Debian Bug : 285904 Danny Lungstrom discoverd a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine. For the stable distribution (woody) this problem has been fixed in version 1.5-1woody1. For the unstable distribution (sid) this problem has been fixed in version 1.5-4. We recommend that you upgrade your chbg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.dsc Size/MD5 checksum: 600 3cb28b61fb97dca63f09a486dae5612f http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1.diff.gz Size/MD5 checksum: 3612 08098cf0fec406380e968186766de027 http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5.orig.tar.gz Size/MD5 checksum: 322878 4a158c94c25b359c86da1de9ef3e986b Alpha architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_alpha.deb Size/MD5 checksum: 294456 afd6ce377d43c0df909d955e04c328cd ARM architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_arm.deb Size/MD5 checksum: 247338 878c528ab81decd999503ad47557fc4a Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_i386.deb Size/MD5 checksum: 244862 d3a09b86dfc44164c541cda2eb66ce66 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_ia64.deb Size/MD5 checksum: 345228 e4b9ae6b9da9c34d5a930727bdfc1a44 HP Precision architecture: Cannot be updated due to compiler error. Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_m68k.deb Size/MD5 checksum: 222916 7dce4c0b3ae27f624ee472bd153d5c66 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mips.deb Size/MD5 checksum: 249054 66402b53b158bfa0b2144b6b97b1d794 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_mipsel.deb Size/MD5 checksum: 247536 769f5074ad1f4b148191d0e196d01778 PowerPC architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_powerpc.deb Size/MD5 checksum: 271272 f6b03b2a05de42ee203d7d9cbfe7c468 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_s390.deb Size/MD5 checksum: 239098 f20c7b0e36ecfc4540d3673f4ec477dd Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/chbg/chbg_1.5-1woody1_sparc.deb Size/MD5 checksum: 263302 28df5318e314bbaf79493b485aa6cffa These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7NmrW5ql+IAeqTIRAmUEAKCLSpd0/8eiiFhfymdRCV70pS6p9QCfUIfW JmmWy3Pi87ZjfreLomQQIls= =WpPd -END PGP SIGNATURE-
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
s. keeling wrote: Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? I agree that not opening any attachments is counter-productive and shows paranoia, but we shouldn't feel that just because F/OSS is better than e.g. MS Windows it's infinitely better. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. In anticipation, Rick M. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Can you please OT: this Regards Denis O'Toole Moe wrote: After all these months/years of warnings to NEVER open email attachments, why are you sendinf attachments instead of in-line? Martin Schulze wrote: Part 1 Type: C Encoding: 8bit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] message.txt .desktop Description: application/desktop
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from David Mandelberg: s. keeling wrote: Incoming from Moe: Martin Schulze wrote: Part 1 Type: C Encoding: 8bit After all these months/years of warnings to NEVER open email attachments, why are you sending attachments instead of in-line? People who don't use stupid Windows email clients have no trouble with attachments at all. Attachments are a very useful tool; for instance, for code listings, they arrive unmangled by line wrap. Get a better email client, running on a better OS. Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe No, I assume people have half a brain in their heads, look at the attachment type, maybe save it to a file and inspect it, then maybe look at it or delete it. Too much work? Okay, slap a lot of autoload crap in your .mailcap and watch your system disappear. You don't _have_ to look at an attachment if you don't trust it. Write the person who you got it from and tell them to post it on a website instead. Then point something sensible like firefox at it. How often have you seen a freedesktop.org compliant launcher for the program rm -rf $HOME anyway? I never have. 'Sound like a Microsoft Security Update (aka Swen) to me. Okay, it could happen. That's why I take the time to think about what I'm doing. I agree that not opening any attachments is counter-productive and shows Fear of opening attachments is stupid. It's fear mongering based on experience with Windows applications' ineptitude. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Quoting David Mandelberg ([EMAIL PROTECTED]): Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. I'm sorry, but the question was: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. You appear to have answered some question I didn't ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary Hi Rick. :-) Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Quoting s. keeling ([EMAIL PROTECTED]): Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. Ja. We might call the .mailcap scenario the aim-gun-at-my-foot-please mutt extension. Maybe someone can file an ITP for it, as package mutt-fod (for Friends of Darwin). ;- -- Cheers, Hardware: The part you kick. Rick MoenSoftware: The part you boot. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Denis O'Toole: Can you please OT: this Hint: the d key will probably do this for you. Please stop interfering with discussions of insecure applications on debian-security. TVM. :-) -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Tue, 18 Jan 2005, David Mandelberg wrote: Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. that'd be dumb of the user This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. that be even dumber of the user .. and it is a known problem from 15-20 years ago .. - don't click or execute commands you do nto know what it will be doing - even simple things like ls, tar, cat can be renamed ( cracked ) to something more painful - it not a security issue ... and is unsolvable, not preventable if you click on things or execute commands manully - the super paranoid might be using encrypted fs with md5 of their commands before executing cat foo c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Incoming from Rick Moen: Quoting s. keeling ([EMAIL PROTECTED]): Well, even mutt will, if you turn on autoload crap in .muttrc and load up your .mailcap with stupid helper apps. Out of the box, no, mutt doesn't do that. Ja. We might call the .mailcap scenario the aim-gun-at-my-foot-please Ha! The problem here is the nitwit factor. Nitwits who are deathly afraid of having to think about what to do with some obscure file format, want their app/OS to just fscking handle it and do the right thing. Well, what app/OS is well known for that sort of behaviour? And what are the generally expected repercussions? Oh yes. Lookout! and Internet Exploder, and consequently enabled viruses, worms, trojans, spambots, spyware, ... I say again to the original poster, get a better MUA, running on a better OS. I've no sympathy for your present situation. Attachments are a valuable feature that your system is unable to take advantage of. We don't have that problem here. That's why we run Debian. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
