Hi all,
I have built HTML and PDF versions of the very-nearly-finished
Security Guide, which has its focus on Fedora and is on its way to
being available in the upcoming 11 release.
I thought there may be some members of this list who would like to take
a look at it.
Any reviewers/comments at all are of course more than welcome.
http://sradvan.fedorapeople.org/Security_Guide/en-US/
Cheers,
--
Scott Radvan, Content Author
Red Hat APAC (Brisbane) http://www.apac.redhat.com
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=187353
--- Comment #16 from Hans de Goede <hdegoede(a)redhat.com> 2009-03-16 05:46:03 EDT ---
As explained in Comment #3, we could still be (indirectly) vulnerable, with
that said since clearly no-one seems to have the time to work on this and it is
very minor I'm fine with closing it.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=187353
--- Comment #15 from Luke Macken <lmacken(a)redhat.com> 2009-03-15 16:42:19 EDT ---
Reply from nethack upstream about this issue, and the potential rumour that it
has been fixed upstream.
"""
> Someone in the Gentoo community mentioned a while back that the
> dev team had patched the buffer overflow.
We could probably extract the relevant changes, but I don't
think that you actually need them. The real security bug is
being caused by gentoo's policy of giving users full access to
the same group as nethack's setgid setting. They shot themselves
in the foot here, by allowing users to modify the score file
outside of nethack. The lax buffer handling has been (or will
be, from a 3.4.3 perspective...) fixed, but it is not exploitable
in a standard installation where nethack runs in a group whose
files can't be manipulated by arbitrary users.
I assume that redhat/fedora doesn't have the same config
issue as gentoo. If I'm wrong, then you should change nethack
to run in a distinct group rather than--or in addition to--
patching its score file parsing code.
"""
+1 for closing this bug :)
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.