[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thoughts on the standardization of Org
From: |
Tim Cross |
Subject: |
Re: Thoughts on the standardization of Org |
Date: |
Wed, 11 Nov 2020 09:30:10 +1100 |
User-agent: |
mu4e 1.5.6; emacs 27.1.50 |
Jean Louis <bugs@gnu.support> writes:
> * Maxim Nikulin <manikulin@gmail.com> [2020-11-10 19:31]:
>> 2020-11-10 Greg Minshall wrote:
>> >
>> > i would guess
>> > using 'cat -v' to read e-mail is 100% safe. even throwing in
>> > uudecode(1), or whatever is needed to decode base64, (and then piping
>> > through 'cat -v', of course ), it's probably still safe.
>>
>> Please, check that you have at least updated tmux before applying such
>> "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 The
>> news are too recent to not mention the link in such context.
>>
>> The sour story is that it is unsafe to feed non-trusted files directly to
>> terminal. A filter against control sequences is required.
>
> Is there anyway to disable control sequences? Than cat can be aliased.
It should be noted that this vulnerability is a buffer overflow exploit
which ASLR effectively mitigates. This doesn't mean that it isn't a
serious bug in tmux, but it does mean that unless you have disabled
ASLR, there is no known exploit (i.e. it is only theoretical). Given the
popularity of tmux, I suspect it will be patched and a new version
released fairly quickly.
I guess this does highlight the point that *any* data from an external
source can potentially be a threat. You cannot eliminate the risks, only
manage them down to an acceptable level. What is acceptable will vary
for each user.
--
Tim Cross
- Re: Thoughts on the standardization of Org, (continued)
- Re: Thoughts on the standardization of Org, Tim Cross, 2020/11/09
- Re: Thoughts on the standardization of Org, Greg Minshall, 2020/11/09
- Re: Thoughts on the standardization of Org, Tim Cross, 2020/11/09
- Re: Thoughts on the standardization of Org, Greg Minshall, 2020/11/10
- Re: Thoughts on the standardization of Org, Maxim Nikulin, 2020/11/10
- Re: Thoughts on the standardization of Org, Jean Louis, 2020/11/10
- Re: Thoughts on the standardization of Org,
Tim Cross <=
- Re: Thoughts on the standardization of Org, Jean Louis, 2020/11/11
- Re: Thoughts on the standardization of Org, Tim Cross, 2020/11/11
- Re: Thoughts on the standardization of Org, Maxim Nikulin, 2020/11/27
- Re: Thoughts on the standardization of Org, Jean Louis, 2020/11/27
- Re: Thoughts on the standardization of Org, Maxim Nikulin, 2020/11/11
- Re: Thoughts on the standardization of Org, Jean Louis, 2020/11/11
- Re: Thoughts on the standardization of Org, Greg Minshall, 2020/11/11
- Re: Thoughts on the standardization of Org, Greg Minshall, 2020/11/10
- Emails are not safe - Re: Thoughts on the standardization of Org, Jean Louis, 2020/11/10
- Re: Thoughts on the standardization of Org, Dr. Arne Babenhauserheide, 2020/11/02