Date: Mon, 24 Nov 2014 11:25:34 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) On 23 November 2014 at 20:24, Michal Zalewski <lcamtuf@...edump.cx> wrote: > Ultimately, I think that there's an expectation that running less on a > downloaded file won't lead to RCE, and the lesspipe behavior in many > distros is almost certainly violating that. I'm also not sure if the > automation actually scratches any real itch - I doubt that people try > to run 'less' on CD images or ar archives when knowingly working with > files of that sort. > > WDYT? It's distros that are shipping the lesspipe defaults (AFAIK), and at-least the ones you mentioned have "sandbox" capabilities. I think it's reasonable on Ubuntu and RHEL to use AppArmor/SELinux to be paranoid in a lesspipe context (eg. not allow access to private files etc - it pipes right?). Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.