Werent we talking about trojans on Linux?

Karl-Heinz Zimmer khz at kde.org
Mon Oct 28 23:34:57 GMT 2002


On Tuesday 29 October 2002 00:26, Karl-Heinz Zimmer wrote:
> On Tuesday 29 October 2002 00:05, Rinse de Vries wrote:
> > Hi,
> >
> > just received a mail  l in kde-i18n-doc with the following link:
> >
http://www.dilbert.com/comics/dilbert/desktop_diversions/images/dilbert_screensaver.zip
> >
> > When pressing this link, KMail automagicly opens 'ark' and starts
> > downloading the compressed file, without any warning...
> >
> > Now what if this was not a zip file, but an .exe file, and I have Wine
> > installed, would kmail call wine and start downloading the 'possible
> > virus' without any warning?
> > Now that is a security hole, isn't it?
>
> Having thought about it again: No, this should not happen.
>
> KMail is not allowed to start WINE without telling you before - that's how
> it is coded.

Ahem, it is night here and my brain will fall asleep soon: forget it,
what happens when you click on this link is NOT controlled by KMail
but by the viewer itself.

So the big question is: Why the hell does the viewer start a download
if it is not an image that's downloaded?

IM(not so)HO this _is_ a security issue and must be investigated!

I would even like to propose to find out about that _before_ releasing 3.1!


Karl-Heinz   < Please send follow-ups to kde-core-devel at mail.kde.org >
-- 
Karl-Heinz Zimmer, Senior Software Engineer, Klarälvdalens Datakonsult AB
<mailto:khz at klaralvdalens-datakonsult.se>            <mailto:khz at kde.org>
_________________________________________________________________________
"Why do we have to hide from the police, Daddy?"   
   "Because we use vi, son.  They use emacs."    Dave Fischer, 1995/06/19
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: signature
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20021029/26ce485d/attachment.sig>


More information about the kde-core-devel mailing list