Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=469585 --- Comment #21 from Robert Scheck <redhat-bugzilla@xxxxxxxxxxxx> 2009-01-04 09:57:04 EDT --- (In reply to comment #20) > Both on my rawhide i386 system and koji scratch build > fails (ref: http://koji.fedoraproject.org/koji/taskinfo?taskID=1031143) Looks like my Rawhide system is then somehow broken, possible. But shouldn't prevent us here from continuing, the packages for Fedora are anyway built by the build system hopefully not broken ;-) > For /bin/vi case, the impact of the risk should be limited > to the person who intentionally tried to read the file. And if the person doing intentionally this is root? Thus it is simply the same case as vi. You unluckily didn't get my point. > Then please do this in the safe way. By the way the basic problem > I think is that the file "mbscore" is created by arbitrary person. Patches by you are cheerfully accepted. As other packages having exactly (!) the same got successfully reviewed, I'm definately not going to change this as downstream. This would be upstream's job, I'm not forking foreign software as other packagers do, because we're just Fedora and because of we're just cool or we want to be better and more concerned about something than others. Again, can you show me how to exploit or manipulate read_version2_data() or read_version3_data() somehow? As mentioned - my C knowledge isn't the best, but the C code seems straight-forward to me. > Because Fedora is more careful? (actually security responsible > team on RedHat is very concerned about setuid/setgid binaries: > e.g. > https://www.redhat.com/archives/fedora-security-list/2007-April/msg00004.html That thread talks about SELinux, PAM and that setuid is here not needed at all; wrong topic. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review