On Fri, Jun 22, 2018 at 05:01:38PM +0100, Tomasz Kłoczko wrote: > On Fri, 22 Jun 2018 at 13:36, Till Maas <opensource@xxxxxxxxx> wrote: > [..] > > > The attacker could have looked up the exploit on the web. > > > > If it is a public exploit, then it is usually fixed by updates, > > especially if the impact is that big. A user not installing > > security updates is a scenario I consider not worth to explore, since > > there might be all kinds of serious vulnerabilities. > > Just FTR. > If Fedora maintainers will decide to put ~/.local/bin over /usr/bin on > the $PATH it will be possible to control over ~/.local/bin/id (and/or > many more similar commands) what happens on begin of the user login > session. None of the packages updates (except that one which will > remove ~/.local/bin/ from the $PATH) would be able to stop damage ones > done. > > Would you consider now classify such change as serious vulnerability > introduction? No, the vulnerability is whatever allowed attackers to get write access to $HOME. And there would be a lot more changes to $HOME or other paths in a real-world attack that an update could not fix. Also I guess most attacks target information, computing power or network access and there is no way to revoke this with an update after the attack was successful. And the best practice to cleanup after an attack is to reinstall from known-good sources. Kind regards Till _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/3FUF76JH5CTAGVXD4ZJWKCCAQNXOEEY5/
