[Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers
Yves-Alexis Perez
corsac at debian.org
Wed Feb 25 08:12:29 UTC 2009
On mer, 2009-02-25 at 02:08 -0500, Michael Gilbert wrote:
> On Wed, 25 Feb 2009 07:44:33 +0100 Yves-Alexis Perez wrote:
> > Can you point me to your patch to the specs? And your patch to the code?
>
> i understand that there's going to be a lot of work involved, and its
> easy for me to submit the problem, and hard for you to fix it. i
> truely do appreciate that. and i also understand that you're a
> volunteer, so technically, you don't really have to do anything if you
> don't want to.
No, and you perfectly now that. I'm not sure the severity is “grave”,
but you purposely put this tag, forbidding any thunar migration in
squeeze for the ongoing 4.6 release. (wow, this issue must really ease
release-time job… or not?)
Anyway, reporting bug is ok, we won't hide problems. The thing is, the
security is a tradeoff, and atm the risks are not really there, while
the countermeasure are quite invasive. If you think the risk is huge
(and deserves a grave bug), fine, but then you should think a patch is
needed fast. (and again, not just for debian, not just for Xfce, for the
spec).
>
> are [1],[2] the spec you are refering to?
No: http://standards.freedesktop.org/desktop-entry-spec/latest/
--
Yves-Alexis
More information about the Pkg-xfce-devel
mailing list