On Fri, 27 Feb 2004 10:02:09 -0500 (EST) "Mike A. Harris" <mharris@xxxxxxxxxx> wrote: > On Fri, 27 Feb 2004, Leonard den Ottolander wrote: > > >How well scrutinized is this NSA code actually? Everybody can see they > >won't slip in an obvious backdoor, but how about nasty little overflows, > >tucked away deep inside the code, for which they already have exploits > >in their drawer? > > Aside from rejecting SElinux merely due to conspiracy theories > alone, what would be your suggestion to ensure that this is not > the case? > > If you really think about it, you can apply the same conspiracy > theory to the Linux kernel, XFree86, and every other piece of > software in the system. > > There are quite a few security vulnerabilities found and fixed in > OSS source code. How can you truely be sure that a given > vulnerability wasn't planted there intentionally? > > Take the recent XFree86 security update which contains fixes for > libXfont. Do we really know for sure that when Keith Packard > wrote that 14 or so years ago, that he didn't intentionally put > the buffer overflows in there, so that he could 0wn all machines > running the X Window System 15 years later? ;o) > > You did upgrade X to the latest version right? ;o) > > > > -- > Mike A. Harris ftp://people.redhat.com/mharris > OS Systems Engineer - XFree86 maintainer - Red Hat > > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-devel-list I thought Fedora wasn't vulnerable to that bug due to exec-shield. Packard never saw that one comming!
Attachment:
pgp2Z7nTjpY4Z.pgp
Description: PGP signature
