Re: Add murmur.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Add murmur.

From:	David Craven
Subject:	Re: Add murmur.
Date:	Sun, 12 Feb 2017 15:37:14 +0100

> You read too much between the lines in my words.

> I'm not counting on the certifications of Harmut. I simply agree with
> the reasoning that no client and server should be combined if possible
> to limit the attack surface. That's all.

That may be true. It was my intention to back Ludo. I think that it is a minor
issue at best, since anything that isn't accessible over the network or running
with any sort of privileges is not very useful.

An attack usually involves exploiting a service for remote code
execution, followed
by privilege escalation and finally securing access to the system and
cleaning up
traces.

This is an unprivileged binary on a server, and it isn't even running.
Exploiting any
bugs in the client would require starting the client first. This means
that an attacker
has already gained physical access or is able to perform remote code execution.

This hypothetical attacker is trying to escalate privileges. I don't
see how starting
an unprivileged process would help with that.

But then again - I'm not an expert and don't have any credentials - so
I'd be interested
to know if there is a way of exploiting this.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Add murmur., (continued)

Prev by Date: How to M-x debbugs-gnu with new guix-patches
Next by Date: Re: Auditing CPE names
Previous by thread: Re: Add murmur.
Next by thread: Re: Add murmur.
Index(es):
- Date
- Thread