Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#156 Execution from /tmp security hole

v1.0 (example)
closed-rejected
nobody
5
2013-08-03
2013-08-03
Philip C
No

The Linux versions depend on executing Qt Java from the /tmp directory, this is a very bad security issue, you never want to allow anything to execute from /tmp. /tmp should be mounted noexec which most current serious distributions do now (or soon will) as tmpfs.

Change NixNote to run under the users account directory (for example ~/.NixNote) rather than requiring the opening of a security hole in /tmp.

Discussion

  • Unfortunately there isn't anything I can do about that. The /tmp requirement is a requirement of Qt-Jambi (which NixNote is built upon). There isn't anything in NixNote itself can do.

    NixNote 2 doesn't have this requirement.

     
    • status: open --> closed-rejected
     
  • Philip C
    Philip C
    2013-08-03

    I understand. I see from your comment to a similar bug report (https://sourceforge.net/p/nevernote/bugs/147/#5459) that you are getting rid of Jambi in future releases. I strongly encourage you to do that, as well as submitting a bug report to them (http://qt-jambi.org) to fix their system. As an IT security professional I could not recommend the use of any software which introduces such a system wide vulnerability (especially an application that manages personal information). I like NixNotes and I think you have done tremendous work (Kudos!) I look forward to returning to NixNote once this is fixed.