[Pkg-xfce-devel] Bug#517020: Bug#517020: Bug#517020: Bug#517020: Bug#517020: thunar: potential exploits via application launchers

Yves-Alexis Perez corsac at debian.org
Sun Mar 1 22:35:31 UTC 2009

On dim, 2009-03-01 at 12:44 -0500, Michael S. Gilbert wrote:
> On Sun, 01 Mar 2009 10:16:27 +0100 wrote:
> > > (although if that's the case, i think that there is a problem
> > > with debian's documentation [1] since it appears to indicate that any
> > > and all security holes are to be reported as grave).
> > 
> > It says “Most security bugs should also be set at critical or grave
> > severity.”. I guess you missed the “most”?
> yes indeed, i have overlooked that statement.  however, that is to be
> found in the "Tags" and not the "Severity levels" section, so i had
> no reason to look there. 

package: thunar
severity: grave
tags: security

You just discover that “security” is a tag and not a severity?

>  anyway, "most" means most, and the "non-most"
> category would primarily include no-data-compromise issues such as
> denial-of-services, i believe.

Yes, most means most. Thanks!

> it is in fact trivial to exploit:

I already noticed we disagreed on that.

> attackers have patience and understand the law of large numbers.

Nice quote indeed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20090301/15542f26/attachment.pgp 

More information about the Pkg-xfce-devel mailing list