<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Remove absolute paths from gpg.rc



On Fri, Mar 16, 2007 at 10:22:05PM -0400, Derek Martin wrote:
> On Fri, Mar 16, 2007 at 12:40:27AM +0000, Paul Walker wrote:
> > If you can modify someones personal files, the game's already over.

> Not so.  At least not necessarily.

So!

> Say there's a (purely hypothetical) bug in Mutt which allows an
> attacker to cause mutt to download an arbitrary file (perhaps actually
> in an application frequently used to aid mutt in viewing mail and/or
> attachments, e.g. lynx).  Say the bug allows the creation of the file,
> but in no way allows for the execution of code within the file.  Such
> bugs have existed.

In that case, you get them to download an authorized_keys file for ssh...

imc