Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=469585 --- Comment #23 from Mamoru Tasaka <mtasaka@xxxxxxxxxxxxxxxxxxx> 2009-01-04 10:39:15 EDT --- (In reply to comment #21) > > For /bin/vi case, the impact of the risk should be limited > > to the person who intentionally tried to read the file. > > And if the person doing intentionally this is root? Thus it is simply the > same case as vi. You unluckily didn't get my point. Again what I am saying that a malious file created by one person can be read by other person, not only by root. > > > Then please do this in the safe way. By the way the basic problem > > I think is that the file "mbscore" is created by arbitrary person. > > Patches by you are cheerfully accepted. As other packages having exactly (!) > the same got successfully reviewed, This package is not the other packages, of course. > I'm definately not going to change this > as downstream. This would be upstream's job, No, maintaining the software in the safe way is definitely distribution maintainer's job (well, I really don't like the word "it is upstream's job" which is spoken carelessly. It must not be a maintainer's attitude). > I'm not forking foreign software > as other packagers do, because we're just Fedora and because of we're just > cool or we want to be better and more concerned about something than others. I think this must not be a maintainer's attitude. > > Again, can you show me how to exploit or manipulate read_version2_data() or > read_version3_data() somehow? As mentioned - my C knowledge isn't the best, > but the C code seems straight-forward to me. Potential crafted files may cause buffer overflow or numerical overflow, in such case we cannot tell what happens, for example? > > > Because Fedora is more careful? (actually security responsible > > team on RedHat is very concerned about setuid/setgid binaries: > > e.g. > > > https://www.redhat.com/archives/fedora-security-list/2007-April/msg00004.html > > That thread talks about SELinux, PAM and that setuid is here not needed at all; > wrong topic. I just showed an example that RH security responsible team is very concerned about setuid/gid binaries. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review