risk

Mike McCarty mike.mccarty at sbcglobal.net
Wed Jul 13 17:14:21 UTC 2005


Andy Green wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike McCarty wrote:
>
> | I have ADSL connections, with a D-Link wireless router between
> | my box and the ADSL modem. I have disabled the wireless part
> | of the router, and removed its antenna. Only the one machine
> | is actually connected to the router. I use Mozilla (cookies disabled,
> | java disabled) and Thunderbird (use server connections).
> |
> | So, what is my "vulnerability"?
> |
> | This is a serious question.
>
> Well the recent libz vuln will allow merely browsing to an evil site to
> take over your machine with your main user account privs by sending you
> a poisionous .png.  Unless you have updated your libz with the security
> update.  Even than anything else with libz compiled in statically is
> vulnerable.

Ok, let's suppose for a moment that, while I'm a fairly intelligent guy,
I'm pretty ignorant of Linux internals. Could you give me something
a little more intelligible. What is a poinsonous .png? I'm using the latest
FC2. How can I tell whether I have updated my libz? I used uptodate
up to the point where FC2 was no longer being updated.

>   And how do you create such a canonical list of apps when
> the (small, for zlib) sources may be composed into the app itself?  So
> there is only a probability of safety eaten away by uncertainty, you can
> never prove there are no vulns so you can never really be certain of
> safety.  Particularly all Fedora installs could be compromised by
> tampering with upstream source distributions... you can't disprove it
> (and let's hope nobody ever proves it!).

I didn't ask how one can prove one is secure. Proving a universal is
universally impossible.

>
> "Mozilla" is a giant teetering edifice of everchanging code that you

Oh, come now. If you take that attitude, then Linux and the FSF code
is pretty much the same. With that attitude, the selinux is the same.
Have *you* looked at all the code in Linux? Have you read and
verified the selinux source? Obviously, not. Otherwise there wouldn't
be reports against it.

[snip]

Mike

-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!




More information about the fedora-list mailing list