[Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.

James Cameron quozl at laptop.org
Mon Dec 10 15:39:57 EST 2012


On Tue, Dec 11, 2012 at 01:47:36AM +0530, Ajay Garg wrote:
> In my current approach, a file in "icon_files" folder is not removed
> ever, once it is written.

So I can attack a user (denial of service) by providing an .xo file
with a very very large .svg file in it, and there is nothing the user
can do ... in Sugar ... to escape from the situation.

It is an added security vulnerability.

So, Nak.

As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is
an old activity of mine with the .svg file replaced by 1 GB of zero
bytes, which compresses nicely.  When this file is renamed to .xo and
downloaded with Sugar is to result in 1 MB of download data, and in 2
GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for
the /icon_files/

-- 
James Cameron
http://quozl.linux.org.au/


More information about the Sugar-devel mailing list