|
From: | Markus Steinborn |
Subject: | Re: [bug-gv] Security issues |
Date: | Sat, 29 May 2010 19:19:11 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4 |
Bernhard R. Link schrieb:
2) [...] Adding a -P- needs to change this resource. I've not looked but I fear the user having a .gv file might making changing the default hard, so a proper fix for this is not that easy...
[...]
Both problems are essentially the same. I would say we have at least three options:4) [...] Again changing the default is easy but users might have config files. Perhaps one should replace the first space with " -P- " in this string if there is no -P in it. (so -P- and -P will cause the user to get their setting, otherwise a safe value is generated).
(1) Rewrite the command before execution, adding the option "-P-" at the beginning.
(2) Changing the default resources and increasing the required version of the resources so gv-update-userconfig deletes the vulnerable resources.
(3) Changing the default resources and open a big warning if "-P- " isn't a substring of the resource string in question.
Solution (1) has the advantage that no user interaction is required. Greetings from Germany Markus Steinborn GNU gv maintainer
[Prev in Thread] | Current Thread | [Next in Thread] |