[MPlayer-users] Using -dumpstream on OS X
RC
cooleyr at gmail.com
Fri Dec 7 20:09:39 CET 2007
On Fri, 7 Dec 2007 12:28:19 +0100
Ivo <ivop at euronet.nl> wrote:
> If the creator of somepkg.tar.bz2 had bad intentions, it could simply
> place a binary or shell script named ls inside that, besides calling
> /bin/ls, forks and starts sending your complete homedir over the
> internet. Or test whether it's root and send /etc/shadow. Or run rm
> -rf /. Or install a rootkit, et cetera...
Actually, that wouldn't work, as /bin no doubt comes before ./ in your
PATH. Still, it certainly is a major security concern. A malicious
individual would simply do much better to include common command names,
spelled incorrectly, such as lls, ks, cc, pws, etc.
More information about the MPlayer-users
mailing list