On Sat, December 17, 2005 4:17 pm, Jesse Keating said: > On Sat, 2005-12-17 at 16:04 -0500, Sean wrote: >> It's a low risk feature that adds signficant ease of use for the user. >> You haven't shown at all how it could be exploited. > > If I knew how it could, I would have alerted upstream and vendors to get > a CVE assigned and a fix coordinated. Unfortunately not all folks who > discover flaws act in this way. > > With a port forward, any traffic at all can be pushed to the client. > Who knows what kind of overflows or whatnot may be in the client > software, that could lead to something which the client has rights to > do, such as 'remove your temp files, which are ~/*'. My point is that > forwarding ports is a risk. Sure it could just wipe your user files, > but maybe it could do more. I don't know, I am not a security expert. > Forwarded ports are much different than established/related packets. > Unassociated traffic can come in at will. This kind of risk needs to be > something a USER assumes, not a distribution. > That's a pretty weak argument. Many users are connected directly to the internet and thus when they start the application they assume the risk. It's the exact same thing if they install a router that has UPnP enabled on it; they've assumed the risk. But so long as you're happy to include the feature if its disabled by default we really have no reason to argue. Sean -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
