Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <31c511c3-5e29-4d2d-bfd1-ad1e336f5541@gmail.com>
Date: Wed, 20 May 2026 14:28:19 -0400
From: Demi Marie Obenour <demiobenour@...il.com>
To: oss-security@...ts.openwall.com, Simon McVittie <smcv@...ian.org>
Cc: arraybolt3@...eup.net
Subject: Re: On the issue of MIME handlers that execute
 arbitrary code (e.g. Wine)

On 5/20/26 05:51, Simon McVittie wrote:
> On Tue, 19 May 2026 at 19:30:42 -0400, Aaron Rainbolt wrote:
>> I wonder if it would be worth proposing a change to whatever system
>> component handles opening files (probably something in Glib, or
>> xdg-utils, haven't researched that deeply yet)
> 
> It's a general-purpose specification that is designed to be implemented 
> by an unlimited number of packages, some of them desktop-specific:
> 
> * GLib, and via that, gio(1), xdg-desktop-portal and flatpak-xdg-utils'
>    xdg-open(1) reimplementation
> * some Qt/KDE library (I'm less familiar with the KDE world, so I don't
>    know whether this is done in the Qt layer or somewhere in kdelibs)
> * xdg-utils' xdg-open(1) (the reference implementation of that name)
> * Debian's mailcap package, which translates fd.o MIME handlers into
>    traditional mailcap(5) handlers
> * web browsers like Firefox and Chromium might reimplement it? not sure
> * ...
> 
> so any change to how the spec is to be implemented would have to be 
> fd.o consensus and spread across all of those.

Honestly, I think the open-ended nature makes it inherently insecure.

Sandboxes should only allow allowlist of file types and make everything
else fall back to a safe default.  This could be a simple text editor
(no IDE support!) for text files, and a hex editor (or an error) for
binary files.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Download attachment "OpenPGP_0xB288B55FFF9C22C1.asc" of type "application/pgp-keys" (7141 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.