Announcement

Collapse
No announcement yet.

KDE Picking Up Thumbnail Previews For Blender Files, Continued UI Improvements

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KDE Picking Up Thumbnail Previews For Blender Files, Continued UI Improvements

    Phoronix: KDE Picking Up Thumbnail Previews For Blender Files, Continued UI Improvements

    It's Sunday and that means KDE developer Nate Graham is out with his (great) weekly recap of the interesting improvements made over the past week in KDE land...

    http://www.phoronix.com/scan.php?pag...bnail-Previews

  • #2
    I always love reading these and seeing all the new feature and fixes. Can't wait for Manjaro to update so I can play with unconventional themes.

    Comment


    • #3
      Meta/Super/Winkey+E is what is used on Windows, but that is for "Windows Explorer", but I'm told this is not the name anymore, although the shortcut continues.

      But Windows doesn't allows you to change predefined shortcuts (last time I checked), and that is a thing I hate very much. KDE on the other hand, is the king of keyboard shortcuts since forever, as it allows you to do whatever you want. You can even save your personalized shortcuts on a file as a backup.

      Personally, I use Meta+E for my e-mail client. File manager is Meta+A (for archives, Dolphin), Meta+F for films (SMplayer), Meta+V is videos (VLC), Meta+B browser (Firefox), Meta+T terminal (Konsole), Meta+C calculator (Kcalc), and more.
      Last edited by [email protected]; 03-24-2019, 09:51 AM.

      Comment


      • #4
        I skimmed the source code and I can't see any sign that this thumbnailing code is being security sandboxed in any way.

        Without security sandboxing, it's foreseeable that a specially crafted file could be created that exploits Dolphin thumbnailing code (Blender or otherwise). A user wouldn't even have to open the file. Simply downloading it and browsing to the folder which contains it (a common practise) would be enough to trigger the exploit.

        Considering that Dolphin appears to be using file magic numbers to detect file formats, the user could end up downloading a file, seemingly of one format (e.g. .zip) and the thumbnailer of another format (e.g. .blend) could be exploited. This would make it even easier to exploit.

        Comment


        • #5
          Thumbnailers run in a separate "thumbnail.so" process. You could use AppArmor (or similar) to lock down permissions of that process.

          Comment


          • #6
            Originally posted by cfeck View Post
            Thumbnailers run in a separate "thumbnail.so" process. You could use AppArmor (or similar) to lock down permissions of that process.
            That would help. You could make a profile that limited the thumbnail.so process to only being able to read the files which it actually knows how to thumbnail (e.g. rules like /**.{jpg,blend}). You could also not permit the process to perform any network access.

            The profile would have to be very strong, because if someone targets KDE Dolphin users and the apparmor profile is widely installed, then they will surely exploit any weakness in it.

            Comment


            • #7
              Originally posted by cfeck View Post
              Thumbnailers run in a separate "thumbnail.so" process. You could use AppArmor (or similar) to lock down permissions of that process.
              It certainly is possible. GNOME does this with bubblewrap.

              Comment


              • #8
                Originally posted by cybertraveler View Post
                I skimmed the source code and I can't see any sign that this thumbnailing code is being security sandboxed in any way.

                Without security sandboxing, it's foreseeable that a specially crafted file could be created that exploits Dolphin thumbnailing code (Blender or otherwise). A user wouldn't even have to open the file. Simply downloading it and browsing to the folder which contains it (a common practise) would be enough to trigger the exploit.

                Considering that Dolphin appears to be using file magic numbers to detect file formats, the user could end up downloading a file, seemingly of one format (e.g. .zip) and the thumbnailer of another format (e.g. .blend) could be exploited. This would make it even easier to exploit.
                Please report via [email protected]

                Comment


                • #9
                  Originally posted by [email protected] View Post
                  KDE on the other hand, is the king of keyboard shortcuts since forever, as it allows you to do whatever you want.
                  Can't use Meta + Numpad keys though, tried to do that for tiling shortcuts.

                  Comment


                  • #10
                    Originally posted by polarathene View Post
                    Can't use Meta + Numpad keys though, tried to do that for tiling shortcuts.
                    I just tried and it worked for me. Recent KDE. Though I didn't try with a tiling shortcut.

                    Comment

                    Working...
                    X