[Bug 469585] Review Request: moon-buggy - Drive and jump with some kind of car across the moon

Sun Jan 4 15:39:16 UTC 2009

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=469585

--- Comment #23 from Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp>  2009-01-04 10:39:15 EDT ---
(In reply to comment #21)
> > For /bin/vi case, the impact of the risk should be limited 
> > to the person who intentionally tried to read the file.
> 
> And if the person doing intentionally this is root? Thus it is simply the
> same case as vi. You unluckily didn't get my point.

Again what I am saying that a malious file created by one person
can be read by other person, not only by root.

> 
> > Then please do this in the safe way. By the way the basic problem
> > I think is that the file "mbscore" is created by arbitrary person.
> 
> Patches by you are cheerfully accepted. As other packages having exactly (!)
> the same got successfully reviewed, 

This package is not the other packages, of course.

> I'm definately not going to change this
> as downstream. This would be upstream's job, 

No, maintaining the software in the safe way is definitely
distribution maintainer's job (well, I really don't like the
word "it is upstream's job" which is spoken carelessly.
It must not be a maintainer's attitude).

> I'm not forking foreign software
> as other packagers do, because we're just Fedora and because of we're just
> cool or we want to be better and more concerned about something than others.

I think this must not be a maintainer's attitude.

> 
> Again, can you show me how to exploit or manipulate read_version2_data() or 
> read_version3_data() somehow? As mentioned - my C knowledge isn't the best,
> but the C code seems straight-forward to me.

Potential crafted files may cause buffer overflow or numerical
overflow, in such case we cannot tell what happens, for example?

> 
> > Because Fedora is more careful? (actually security responsible
> > team on RedHat is very concerned about setuid/setgid binaries:
> > e.g.
> 
> > https://www.redhat.com/archives/fedora-security-list/2007-April/msg00004.html
> 
> That thread talks about SELinux, PAM and that setuid is here not needed at all;
> wrong topic.

I just showed an example that RH security responsible team
is very concerned about setuid/gid binaries.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.