| houkime | I found ipc standards for BGA courtyards a bit ridiculous and searched for an updated IPC-7351C... only to find this thread. https://www.pcblibraries.com/forum/ipc7351c-draft-or-release-date_topic1818_page1.html | 14:38 |
|---|---|---|
| houkime | so from now i will be far more critical of ipc standards (mostly about their correspondence to current manufacturers capabilities) and employ common logic and metacollin's stuff where datasheets don't recommend anything in particular. | 14:41 |
| houkime | Though strategically what i think should happen is that oshw community produce some exhaustive open guidelines on their own. | 14:45 |
| houkime | just on the git server somewhere, so people can commit and compile from datasheets, experience and manufacturer data actual contemporary requirements for a PCB design. | 14:47 |
| houkime | *producible PCB design. | 14:47 |
| houkime | (the thread basically says that IPC is dead) | 14:53 |
| houkime | (and is unlikely to update any time soon) | 14:54 |
| Joerg-Neo900 | >>i will be far more critical of ipc standards [...] employ common logic and metacollin's stuff<< :thumbsup: :-) | 14:55 |
| Joerg-Neo900 | you caught up with our internal discusion and conclusions/decisions | 14:56 |
| sixwheeledbeast | https://it.slashdot.org/story/19/08/10/2257259/remember-autoruninf-malware-in-windows-turns-out-kde-offers-something-similar | 17:11 |
| Joerg-Neo900 | yeah, $() escape exploit in filename of icon | 17:33 |
| Joerg-Neo900 | in .desktop | 17:33 |
| Joerg-Neo900 | I already argues with some other hackers yesterday, and finally stand corrected as this would have hit me if I opened any arbitrary dir with konqueror | 17:34 |
| Joerg-Neo900 | writing a .desktop to ~/Desktop is for sure sth you should try to NOT do when source is shady | 17:35 |
| Joerg-Neo900 | but even extracting a shady origin tarbal into /tmp/foobar/ would hit you if you open /tmp/foobar/ with konqueror then | 17:36 |
| Joerg-Neo900 | >>the researcher says the vulnerability can be used to place shell commands inside the standard "Icon" entries found in .desktop and .directory files<< | 17:40 |
| Joerg-Neo900 | icon=$(rm -rf /) somesuch | 17:40 |
| Joerg-Neo900 | details at https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt | 17:41 |
| Joerg-Neo900 | [Desktop Entry] | 17:41 |
| Joerg-Neo900 | Type=Directory | 17:41 |
| Joerg-Neo900 | Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&) | 17:42 |
| Joerg-Neo900 | nifty use of $IFS | 17:44 |
| Joerg-Neo900 | Remediation: | 18:25 |
| Joerg-Neo900 | Disable shell expansion / dynamic entries for [Desktop Entry] configurations. | 18:25 |
| Joerg-Neo900 | MY remediation: *sign* .desktop files with your local PK and expand only files that gave valid signature | 18:26 |
| Joerg-Neo900 | have, even | 18:26 |
| Joerg-Neo900 | if expansion detected in an unsigned .desktop file: Rise BIG FAT WARNING requester wit options "DONT EXPAND" "EXPAND ONCE" and "SIGN AND EXPAND ALWAYS" | 18:28 |
| Joerg-Neo900 | of course requester will show the suspicious line "of code" in .desktop | 18:29 |
| Joerg-Neo900 | and a 4th option should be "open in $EDITOR" | 18:29 |
| Joerg-Neo900 | in my book *this* is the canonical way to handle such stuff | 18:30 |
| Joerg-Neo900 | not feature neutering | 18:30 |
| Joerg-Neo900 | which always is a lazy idiot's option to deal with such problems | 18:31 |
| Joerg-Neo900 | you got no idea at all how many users out ther4e depend on this feature | 18:31 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!