Re: [PATCH] Remove absolute paths from gpg.rc
On Fri, Mar 16, 2007 at 10:22:05PM -0400, Derek Martin wrote:
> On Fri, Mar 16, 2007 at 12:40:27AM +0000, Paul Walker wrote:
> > If you can modify someones personal files, the game's already over.
> Not so. At least not necessarily.
So!
> Say there's a (purely hypothetical) bug in Mutt which allows an
> attacker to cause mutt to download an arbitrary file (perhaps actually
> in an application frequently used to aid mutt in viewing mail and/or
> attachments, e.g. lynx). Say the bug allows the creation of the file,
> but in no way allows for the execution of code within the file. Such
> bugs have existed.
In that case, you get them to download an authorized_keys file for ssh...
imc