libera/#neo900/ Sunday, 2019-08-11

houkimeI found ipc standards for BGA courtyards a bit ridiculous and searched for an updated IPC-7351C... only to find this thread.
houkimeso from now i will be far more critical of ipc standards (mostly about their correspondence to current manufacturers capabilities) and employ common logic and metacollin's stuff where datasheets don't recommend anything in particular.14:41
houkimeThough strategically what i think should happen is that oshw community produce some exhaustive open guidelines on their own.14:45
houkimejust on the git server somewhere, so people can commit and compile from datasheets, experience and manufacturer data actual contemporary requirements for a PCB design.14:47
houkime*producible PCB design.14:47
houkime(the thread basically says that IPC is dead)14:53
houkime(and is unlikely to update any time soon)14:54
Joerg-Neo900>>i will be far more critical of ipc standards [...] employ common logic and metacollin's stuff<< :thumbsup: :-)14:55
Joerg-Neo900you caught up with our internal discusion and conclusions/decisions14:56
Joerg-Neo900yeah, $() escape exploit in filename of icon17:33
Joerg-Neo900in .desktop17:33
Joerg-Neo900I already argues with some other hackers yesterday, and finally stand corrected as this would have hit me if I opened any arbitrary dir with konqueror17:34
Joerg-Neo900writing a .desktop to ~/Desktop is for sure sth you should try to NOT do when source is shady17:35
Joerg-Neo900but even extracting a shady origin tarbal into /tmp/foobar/ would hit you if you open /tmp/foobar/ with konqueror then17:36
Joerg-Neo900>>the researcher says the vulnerability can be used to place shell commands inside the standard "Icon" entries found in .desktop and .directory files<<17:40
Joerg-Neo900icon=$(rm -rf /) somesuch17:40
Joerg-Neo900details at
Joerg-Neo900[Desktop Entry]17:41
Joerg-Neo900nifty use of $IFS17:44
Joerg-Neo900Disable shell expansion / dynamic entries for [Desktop Entry] configurations.18:25
Joerg-Neo900MY remediation: *sign* .desktop files with your local PK and expand only files that gave valid signature18:26
Joerg-Neo900have, even18:26
Joerg-Neo900if expansion detected in an unsigned .desktop file: Rise BIG FAT WARNING requester wit options "DONT EXPAND" "EXPAND ONCE" and "SIGN AND EXPAND ALWAYS"18:28
Joerg-Neo900of course requester will show the suspicious line "of code" in .desktop18:29
Joerg-Neo900and a 4th option should be "open in $EDITOR"18:29
Joerg-Neo900in my book *this* is the canonical way to handle such stuff18:30
Joerg-Neo900not feature neutering18:30
Joerg-Neo900which always is a lazy idiot's option to deal with such problems18:31
Joerg-Neo900you got no idea at all how many users out ther4e depend on this feature18:31

Generated by 2.17.0 by Marius Gedminas - find it at!