[Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers

Yves-Alexis Perez corsac at debian.org
Wed Feb 25 08:12:29 UTC 2009

On mer, 2009-02-25 at 02:08 -0500, Michael Gilbert wrote:
> On Wed, 25 Feb 2009 07:44:33 +0100 Yves-Alexis Perez wrote:
> > Can you point me to your patch to the specs? And your patch to the code?
> i understand that there's going to be a lot of work involved, and its
> easy for me to submit the problem, and hard for you to fix it.  i
> truely do appreciate that.  and i also understand that you're a
> volunteer, so technically, you don't really have to do anything if you
> don't want to.

No, and you perfectly now that. I'm not sure the severity is “grave”,
but you purposely put this tag, forbidding any thunar migration in
squeeze for the ongoing 4.6 release. (wow, this issue must really ease
release-time job… or not?)

Anyway, reporting bug is ok, we won't hide problems. The thing is, the
security is a tradeoff, and atm the risks are not really there, while
the countermeasure are quite invasive. If you think the risk is huge
(and deserves a grave bug), fine, but then you should think a patch is
needed fast. (and again, not just for debian, not just for Xfce, for the
> are [1],[2] the spec you are refering to?

No: http://standards.freedesktop.org/desktop-entry-spec/latest/


More information about the Pkg-xfce-devel mailing list