[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Speech Dispatcher 0.7 Beta -- Please help with testing
From: |
Bill Cox |
Subject: |
Speech Dispatcher 0.7 Beta -- Please help with testing |
Date: |
Tue, 27 Apr 2010 20:09:06 -0400 |
I like the socket approach, but I guess your concern may be why Luke
was thinking of using dbus. Still, a denial of service that requires
users already be logged into the machine is a far smaller security
hole. Right now, a clever hacker could most likely find a way to
cause one of the less well maintained speech-dispatcher subsystems to
execute arbitrary code, remotely though a wide-open TCP port. I think
a switch to file sockets is a sensible short-term fix. One of my
favorite tricks to play on blind guys I'm supporting in Vinux is to
start talking to them through the speech-dispatcher TCP port. If you
ever let me into a machine on your network, don't be surprised when
your machines running Orca start saying the strangest things!
Bill
On Tue, Apr 27, 2010 at 7:07 PM, Samuel Thibault
<samuel.thibault at ens-lyon.org> wrote:
> trev.saunders at gmail.com, le Tue 27 Apr 2010 14:30:39 -0400, a ?crit :
>> THere is a rather large local security problem with your use of unix
>> sockets. ?It is very easy for a local hostile user to cause a denial of
>> service, because you put the unix sockets in a world readable place with
>> *very* predictable names. ?They are so predictable because a the only thing
>> that the attacker has to gues is the UID of the user, and because UID's for
>> standard users start at 1000, and are assigned in order, the attacker would
>> only have to create say 100 files, wich with a simple shell script is
>> trivial.
>
> That's actually not really new, compared to the previous TCP/IP
> approach.
>
> The place (or port number) has to be well-known for applications to be
> able to connect to it anyway, so any security layer needs to be added
> after connection.
>
> Samuel
>
> --
> Ubuntu-accessibility mailing list
> Ubuntu-accessibility at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-accessibility
>
- Speech Dispatcher 0.7 Beta -- Please help with testing, Hynek Hanke, 2010/04/27
- Speech Dispatcher 0.7 Beta -- Please help with testing, trev . saunders, 2010/04/27
- Speech Dispatcher 0.7 Beta -- Please help with testing, Samuel Thibault, 2010/04/27
- Speech Dispatcher 0.7 Beta -- Please help with testing, Hynek Hanke, 2010/04/28
- Speech Dispatcher 0.7 Beta -- Please help with testing, trev . saunders, 2010/04/28
- Speech Dispatcher 0.7 Beta -- Please help with testing, A, 2010/04/28
- Speech Dispatcher 0.7 Beta -- Please help with testing, Hynek Hanke, 2010/04/28
- Speech Dispatcher 0.7 Beta -- Please help with testing, trev . saunders, 2010/04/28
[orca-list] Speech Dispatcher 0.7 Beta -- Please help with testing, Mgr . Janusz Chmiel, 2010/04/27