On Fri, 22 Jun 2018 at 13:36, Till Maas <opensource@xxxxxxxxx> wrote: [..] > > The attacker could have looked up the exploit on the web. > > If it is a public exploit, then it is usually fixed by updates, > especially if the impact is that big. A user not installing > security updates is a scenario I consider not worth to explore, since > there might be all kinds of serious vulnerabilities. Just FTR. If Fedora maintainers will decide to put ~/.local/bin over /usr/bin on the $PATH it will be possible to control over ~/.local/bin/id (and/or many more similar commands) what happens on begin of the user login session. None of the packages updates (except that one which will remove ~/.local/bin/ from the $PATH) would be able to stop damage ones done. Would you consider now classify such change as serious vulnerability introduction? kloczek -- Tomasz Kłoczko | LinkedIn: http://lnkd.in/FXPWxH _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/XMA24FNN3KHBUPNQAGWDGYVRJ32Z4LE4/
