Re: [orca-list] Speech Dispatcher 0.7 Beta -- Please help with testing

From: trev saunders gmail com
To: Hynek Hanke <hanke brailcom org>
Cc: speechd lists freebsoft org, ubuntu-accessibility lists ubuntu com, tbsaunde main gnome org, gnome-accessibility-list gnome org, orca-list gnome org
Subject: Re: [orca-list] Speech Dispatcher 0.7 Beta -- Please help with testing
Date: Tue, 27 Apr 2010 14:30:39 -0400

HI,

THere is a rather large local security problem with your use of unix sockets.  It is very easy for a local 
hostile user to cause a denial of service, because you put the unix sockets in a world readable place with 
*very* predictable names.  They are so predictable because a the only thing that the attacker has to gues is 
the UID of the user, and because UID's for standard users start at 1000, and are assigned in order, the 
attacker would only have to create say 100 files, wich with a simple shell script is trivial.

Trev

Follow-Ups:
- Re: [orca-list] Speech Dispatcher 0.7 Beta -- Please help with testing
  - From: Samuel Thibault

References:
- [orca-list] Speech Dispatcher 0.7 Beta -- Please help with testing
  - From: Hynek Hanke

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]