[Users] That won't work.
Ralf Mardorf
kde.lists at yahoo.com
Mon Oct 12 22:19:39 CEST 2020
On Mon, 12 Oct 2020 20:36:59 +0100, Dave Howorth wrote:
>You're definitely not understanding the problem. Please read again the
>bit about "a script that *you* have written" and engage the brain and
>try to understand the whole picture.
Hi Dave,
from 2001: "Dave: What's the problem?
HAL : I think you know what the problem is just as well as I
do."
The scripts I wrote, that are executed by Claws, cannot execute third
party commands/software, unless there's a serious CVE in my install's
infrastructure. Actually each update I run, runs 2 auditing tool one
triggered by a hook and another by a wrapper script.
arch-audit 0.1.15-2
An utility like pkg-audit based on Arch CVE Monitoring Team data
pkg-audit 0.3-1
audit installed packages against known vulnerabilities
If you want to ensure that your freakish approach is safe, too,
consider to use some kind of sandbox. Even than you might feel unsafe
against zero-day exploits, let alone that we only have got mitigations
to work around Meltdown and Spectre.
[rocketmouse at archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/*
KVM: Mitigation: Split huge pages
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
Mitigation: Clear CPU buffers; SMT disabled
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Mitigation: Microcode
Not affected
However, what you call a bug in Claws, isn't a bug. It is not a
security risk. Consider to engage your brain.
Regards,
Ralf
More information about the Users
mailing list