bug-gv
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gv] Security issues


From: Markus Steinborn
Subject: Re: [bug-gv] Security issues
Date: Sat, 29 May 2010 19:19:11 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4

Bernhard R. Link schrieb:
2) [...]
Adding a -P- needs to change this resource. I've not looked but I fear
the user having a .gv file might making changing the default hard,
so a proper fix for this is not that easy...

[...]
4) [...]

Again changing the default is easy but users might have config
files. Perhaps one should replace the first space with " -P- " in
this string if there is no -P in it. (so -P- and -P will cause the user
to get their setting, otherwise a safe value is generated).
Both problems are essentially the same. I would say we have at least three options:

(1) Rewrite the command before execution, adding the option "-P-" at the beginning.

(2) Changing the default resources and increasing the required version of the resources so gv-update-userconfig deletes the vulnerable resources.

(3) Changing the default resources and open a big warning if "-P- " isn't a substring of the resource string in question.



Solution (1) has the advantage that no user interaction is required.


Greetings from Germany

Markus Steinborn
GNU gv maintainer




reply via email to

[Prev in Thread] Current Thread [Next in Thread]