Fedora Core 2 Test 2 - delayed

[Mike A. Harris]

On Fri, 27 Feb 2004, Vincent wrote:

>> On Fri, 27 Feb 2004, Leonard den Ottolander wrote:
>> 
>> >How well scrutinized is this NSA code actually? Everybody can see they
>> >won't slip in an obvious backdoor, but how about nasty little overflows,
>> >tucked away deep inside the code, for which they already have exploits
>> >in their drawer?
>> 
>> Aside from rejecting SElinux merely due to conspiracy theories
>> alone, what would be your suggestion to ensure that this is not
>> the case?
>> 
>> If you really think about it, you can apply the same conspiracy 
>> theory to the Linux kernel, XFree86, and every other piece of 
>> software in the system.
>> 
>> There are quite a few security vulnerabilities found and fixed in 
>> OSS source code.  How can you truely be sure that a given 
>> vulnerability wasn't planted there intentionally?
>> 
>> Take the recent XFree86 security update which contains fixes for
>> libXfont.  Do we really know for sure that when Keith Packard 
>> wrote that 14 or so years ago, that he didn't intentionally put 
>> the buffer overflows in there, so that he could 0wn all machines 
>> running the X Window System 15 years later?  ;o)
>> 
>> You did upgrade X to the latest version right?  ;o)
>
>I thought Fedora wasn't vulnerable to that bug due to
>exec-shield. Packard never saw that one comming!

Correct, we've tested and confirmed that exec-shield blocks the 
libXfont attacks if enabled.  Unfortunately, I accidentally 
neglected to mention that in the erratum release notes for Fedora 
Core 1 XFree86 erratum.  ;o/



-- 
Mike A. Harris     ftp://people.redhat.com/mharris
OS Systems Engineer - XFree86 maintainer - Red Hat