On Fri, Aug 01, 2003 at 09:16:25PM -0400, Joey Hess wrote: > Only because Steve Kemp is doing some good work on auditing our games. > I suspect he would have just as much luck finding security holes in some > other areas.
I've mostly covered the games now, there's not too many left that I want to have a look at. Next it's editors - I can't believe I found a setuid(0) one! > > Yes, but I think the eyes should concentrate on non sgid-games first. > > Because this might be a realy BIG junk of UGLYNESS one will find there :) I've found a lot of problems in non-setgid programs too, but those reports don't often get as much attention - and to be honest they're usually triggered by situations a normal user wouldn't ever trigger. So, sure they're important, but they're not _as_ important. > I understand that if you want to help with the auditing effort, > information is here: > http://www.steve.org.uk/Debian/ Yes assistence would be great; I've not coordinated anything so at the moment it's a bit arbitary "pick a package, and have a look at it". I'll post a list of the packages that I've eximined shortly to avoid duplication. Steve --- www.steve.org.uk
pgpvH4PiaombR.pgp
Description: PGP signature
