[Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers

Michael S. Gilbert michael.s.gilbert at gmail.com
Sun Mar 1 17:44:41 UTC 2009

On Sun, 01 Mar 2009 10:16:27 +0100 wrote:

> > (although if that's the case, i think that there is a problem
> > with debian's documentation [1] since it appears to indicate that any
> > and all security holes are to be reported as grave).
> It says “Most security bugs should also be set at critical or grave
> severity.”. I guess you missed the “most”?

yes indeed, i have overlooked that statement.  however, that is to be
found in the "Tags" and not the "Severity levels" section, so i had
no reason to look there.  anyway, "most" means most, and the "non-most"
category would primarily include no-data-compromise issues such as
denial-of-services, i believe.

> Anyway, I'm not really sure of the severity, it's not that easy to
> exploit, and exploited anyway. I'll summarize that upstream and decide
> then.

it is in fact trivial to exploit:

1. place malicious launcher (one that downloads and executes your
malicious script or executable, aka trojan) on a popular website,
bittorrent, ftp, etc.
2. wait for unsuspecting user to visit site, download the launcher, and
eventually wonder what that new icon does.
3. success.

the only questionable aspects are how easy will it be for users to find
these things, and how many of them blindly click without considering
the consequences. most linux users are smart, but i would bet that at
least 75% don't do their homework to figure out what they have before
clicking on it.

attackers have patience and understand the law of large numbers.


More information about the Pkg-xfce-devel mailing list