Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Oct 2023 17:31:07 -0500
From: Grant Taylor <gtaylor@...tconsulting.net>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

On 10/18/23 2:30 PM, Michael Orlitzky wrote:
> That's the crux of it but I don't think it frees Firefox from 
> responsibility.

Please elaborate on what Firefox's responsibility is here?

> Despite the premise being contrary to common sense and fifty years 
> of evidence, Firefox promises to sandbox all of the bad things that 
> untrusted third-party code might do to you.

So perhaps Firefox needs to change their statement / stance.  Much like 
Google Chrome got sued over private browsing mode not preventing web 
servers of pages your visiting retaining logs.

> Are there any other programs that run third-party code by default 
> and are not considered vulnerabilities?

I'm sure there are many things that run third-party code that people are 
not aware are vulnerable.  Email clients like Evolution come to mind.  I 
would be shocked if OpenOffice / LibreOffice probably also qualify as 
programs on *nix systems that have the possibility of unexpectedly 
modifying the clipboard / selection buffers*.

I saw an interesting thread -- I think on the Zsh mailing list -- 
talking about protecting end users from unexpected things that make 
sense in hindsight.  E.g. shell globing expanding `*` into all files in 
the directory, including files with `-` at the start of their name and 
potentially if not likely altering the behavior of the command, probably 
in an undesirable way.

I have to wonder how far programs / their programmers must go to protect 
users from themself.

Where does the program's / programmer's responsibility stop and the 
users responsibility start?

Aside:  The thread in question brought up some interesting idea, 
including altering how things that start with unsafe characters -- 
though I wonder why not all files -- with `./` so the `-bob` file 
becomes `./-bob` when expanded.  --  I wondered about prefixing globing 
with `--` which is the de-facto don't process anything after this as a 
command line flag.

*To those who would complain about my use of the term "buffer" ... I 
agree that the primary and secondary selection $TERM doesn't contain the 
selected data, rather pointer to the program containing the data.  But 
there is $SOMETHING that holds that information about where the 
selection is, a pointer of sorts.  I'm taking the liberty of using the 
term "buffer" to refer to this location holding the pointer to the 
information.  --  The clipboard is different and will retain data after 
the program that is the source of the data terminates, unlike the 
primary / secondary selection.



-- 
Grant. . . .
unix || die

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.