[Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.

Gonzalo Odiard gonzalo at laptop.org
Mon Dec 10 21:44:52 EST 2012

Previous message: [Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.
Next message: [Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

...

So I can attack a user (denial of service) by providing an .xo file

> with a very very large .svg file in it, and there is nothing the user
> can do ... in Sugar ... to escape from the situation.
>
> It is an added security vulnerability.
>
> So, Nak.
>
> As an example, http://dev.laptop.org/~quozl/denial-of-service.zip is
> an old activity of mine with the .svg file replaced by 1 GB of zero
> bytes, which compresses nicely.  When this file is renamed to .xo and
> downloaded with Sugar is to result in 1 MB of download data, and in 2
> GB of storage loss; 1 GB for the activity/*.svg files, and 1 GB for
> the /icon_files/
>
>
Right now, sugar is decompressing the icon anyway,
then, there are no too much change.

Gonzalo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20121210/c7d84b36/attachment.html>

Previous message: [Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.
Next message: [Sugar-devel] [sugar-toolkit-gtk3 PATCH] sl#4276: Writing the icon-files for ".xo" files on a permanent mount-point, and not /tmp. mount-point.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Sugar-devel mailing list