Date: Fri, 05 Dec 2014 23:01:05 -0500 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Offset2lib: bypassing full ASLR on 64bit Linux On 05/12/14 10:41 PM, Seth Arnold wrote: > On Sat, Dec 06, 2014 at 01:44:31AM +0100, Hanno Böck wrote: > > A far better mechanism in Nautilus would be to use execve(2) on the > pathname and see if it executes. Nautilus will never be good at guessing > which files are actually executable on a given system and it is ridiculous > for it to try to guess. It should just execute the selected file and if > that fails, report the failure to the user. > > One goofy filemanager doing something silly ought not stop Mozilla from > shipping a safer Firefox. > > Thanks Desktop files already work fine, so why fix what's not broken? I don't think it should fall back to executing stuff at all. TBH, inspecting file content rather than the Windows / OS X method of relying on the file extension is quite surprising for a GUI file manager. Everything is executable (by default) on FAT32/NTFS and you'll run into fun surprises when there aren't proper shebangs. For example, a Python module beginning with "import math" attempts to run the imagemagick import command and grabs onto your mouse cursor. I don't even want to begin thinking about the security implications of passing everything through libmagic (ugh) and then opening it in an application *based on the file content*, which is essentially opaque to the user. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.