On Fri, Nov 8, 2013 at 6:20 AM, Christian Boltz
I don't know about the exact security risks - maybe someone from the security team knows more details.
With an AppArmor profile, you can make sure that acroread only reads *.pdf files and doesn't read or modify random files on your disk. You can also forbid networking - but this doesn't sound too useful when you need to submit a form online ;-)
Anyway, I'll attach my AppArmor profile for acroread. It's not as tight as it could be (and I'll probably do some changes to it now that I know acroread won't get security updates anymore), but it's a good start. Be warned that you will need to change it - for example I'm quite sure your home directory is not /home/cb/ ;-)
Note: the profile only covers the binary, not the wrapper script.
Security flaws are not judged by whether there're workarounds... You can have a entry on Release Note mention: ha, something doesn't work...here's how to get it work. But you can't say: ha...we are potential targets for...well here's how... It'll mean: we're insecure by default...that's crazy and insane...of course almost 90% of network tools' security flaws can be "fixed" by disconnection from network...I don't wanna look like a troll but that's an extreme example... And I don't think a public hearing on a puclic mailing list for explanations of what those security flaws are or where they're is a _good_ idea...maybe we can open a _close_ security bug report? Marguerite -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org