Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 05 Dec 2014 23:01:05 -0500
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Offset2lib: bypassing full ASLR on 64bit Linux

On 05/12/14 10:41 PM, Seth Arnold wrote:
> On Sat, Dec 06, 2014 at 01:44:31AM +0100, Hanno Böck wrote:
>
> A far better mechanism in Nautilus would be to use execve(2) on the
> pathname and see if it executes. Nautilus will never be good at guessing
> which files are actually executable on a given system and it is ridiculous
> for it to try to guess. It should just execute the selected file and if
> that fails, report the failure to the user.
> 
> One goofy filemanager doing something silly ought not stop Mozilla from
> shipping a safer Firefox.
> 
> Thanks

Desktop files already work fine, so why fix what's not broken? I don't
think it should fall back to executing stuff at all. TBH, inspecting
file content rather than the Windows / OS X method of relying on the
file extension is quite surprising for a GUI file manager.

Everything is executable (by default) on FAT32/NTFS and you'll run into
fun surprises when there aren't proper shebangs. For example, a Python
module beginning with "import math" attempts to run the imagemagick
import command and grabs onto your mouse cursor. I don't even want to
begin thinking about the security implications of passing everything
through libmagic (ugh) and then opening it in an application *based on
the file content*, which is essentially opaque to the user.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.