security March 2009

security@lists.fedoraproject.org

6 participants
3 discussions

Fedora/Linux Security Guide
by Scott Radvan 17 Mar '09

17 Mar '09

Hi all, I have built HTML and PDF versions of the very-nearly-finished Security Guide, which has its focus on Fedora and is on its way to being available in the upcoming 11 release. I thought there may be some members of this list who would like to take a look at it. Any reviewers/comments at all are of course more than welcome. http://sradvan.fedorapeople.org/Security_Guide/en-US/ Cheers, -- Scott Radvan, Content Author Red Hat APAC (Brisbane) http://www.apac.redhat.com

5 8

[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file
by Red Hat Bugzilla 16 Mar '09

16 Mar '09

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=187353 --- Comment #16 from Hans de Goede <hdegoede(a)redhat.com> 2009-03-16 05:46:03 EDT --- As explained in Comment #3, we could still be (indirectly) vulnerable, with that said since clearly no-one seems to have the time to work on this and it is very minor I'm fine with closing it. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

1 0

[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file
by Red Hat Bugzilla 15 Mar '09

15 Mar '09

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=187353 --- Comment #15 from Luke Macken <lmacken(a)redhat.com> 2009-03-15 16:42:19 EDT --- Reply from nethack upstream about this issue, and the potential rumour that it has been fixed upstream. """ > Someone in the Gentoo community mentioned a while back that the > dev team had patched the buffer overflow. We could probably extract the relevant changes, but I don't think that you actually need them. The real security bug is being caused by gentoo's policy of giving users full access to the same group as nethack's setgid setting. They shot themselves in the foot here, by allowing users to modify the score file outside of nethack. The lax buffer handling has been (or will be, from a 3.4.3 perspective...) fixed, but it is not exploitable in a standard installation where nethack runs in a group whose files can't be manipulated by arbitrary users. I assume that redhat/fedora doesn't have the same config issue as gentoo. If I'm wrong, then you should change nethack to run in a distinct group rather than--or in addition to-- patching its score file parsing code. """ +1 for closing this bug :) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security March 2009