| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Sep 2013 18:23:53 -0400 From: Jeffrey Walton <noloader@...il.com> To: Valdis Kletnieks <Valdis.Kletnieks@...edu> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, Steve Wray <stevedwray@...il.com> Subject: Re: Internet has vuln. On Thu, Sep 12, 2013 at 3:23 PM, <Valdis.Kletnieks@...edu> wrote: > On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said: > >> In some cases it could be quite difficult to disengage from NSA-influenced >> projects, eg selinux. So far as I can tell this is pretty much everywhere >> now. Redhat embraced it ages ago, its been integrated in the kernel since >> 2.6, so how do we opt out of selinux? > > Well, given that SELinux *did* come out of the NSA, but has had tons of code > review of the base code (which isn't really all that much) and the actual > policy files (which is where I'd hide a backdoor, they're a lot more obscure > than the actual kernel code), by lots of people who would have *loved* to be > the one who caught the NSA doing something underhanded, I think you're barking > up an entirely incorrect tree. They ignored my comments on fixed size arrays based on MAX_PATH and the subsequent overflows and silent truncations due to use of sprintf and snprintf.... Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists