Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxiG76ZGeQKkWpXohKMCdcF7YHWHFT3dSDRfxPvEo9F6aQ@mail.gmail.com>
Date: Mon, 24 Nov 2014 11:25:34 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: so, can we do something about lesspipe? (+ a cpio
 bug to back up the argument)

On 23 November 2014 at 20:24, Michal Zalewski <lcamtuf@...edump.cx> wrote:
> Ultimately, I think that there's an expectation that running less on a
> downloaded file won't lead to RCE, and the lesspipe behavior in many
> distros is almost certainly violating that. I'm also not sure if the
> automation actually scratches any real itch - I doubt that people try
> to run 'less' on CD images or ar archives when knowingly working with
> files of that sort.
>
> WDYT?

It's distros that are shipping the lesspipe defaults (AFAIK), and
at-least the ones you
mentioned have "sandbox" capabilities.  I think it's reasonable on
Ubuntu and RHEL
to use AppArmor/SELinux to be paranoid in a lesspipe context (eg. not
allow access
to private files etc - it pipes right?).

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.