Fedora Core 2 Test 2 - delayed
Mike A. Harris
mharris at redhat.com
Mon Mar 1 05:25:04 UTC 2004
On Fri, 27 Feb 2004, Vincent wrote:
>> On Fri, 27 Feb 2004, Leonard den Ottolander wrote:
>>
>> >How well scrutinized is this NSA code actually? Everybody can see they
>> >won't slip in an obvious backdoor, but how about nasty little overflows,
>> >tucked away deep inside the code, for which they already have exploits
>> >in their drawer?
>>
>> Aside from rejecting SElinux merely due to conspiracy theories
>> alone, what would be your suggestion to ensure that this is not
>> the case?
>>
>> If you really think about it, you can apply the same conspiracy
>> theory to the Linux kernel, XFree86, and every other piece of
>> software in the system.
>>
>> There are quite a few security vulnerabilities found and fixed in
>> OSS source code. How can you truely be sure that a given
>> vulnerability wasn't planted there intentionally?
>>
>> Take the recent XFree86 security update which contains fixes for
>> libXfont. Do we really know for sure that when Keith Packard
>> wrote that 14 or so years ago, that he didn't intentionally put
>> the buffer overflows in there, so that he could 0wn all machines
>> running the X Window System 15 years later? ;o)
>>
>> You did upgrade X to the latest version right? ;o)
>
>I thought Fedora wasn't vulnerable to that bug due to
>exec-shield. Packard never saw that one comming!
Correct, we've tested and confirmed that exec-shield blocks the
libXfont attacks if enabled. Unfortunately, I accidentally
neglected to mention that in the erratum release notes for Fedora
Core 1 XFree86 erratum. ;o/
--
Mike A. Harris ftp://people.redhat.com/mharris
OS Systems Engineer - XFree86 maintainer - Red Hat
More information about the fedora-devel-list
mailing list