On Wed, Feb 12, 2003 at 08:19:35PM -0500, Mike A. Harris wrote: > On Wed, 12 Feb 2003, John Bartoszewski wrote: > > Heard comments from whom? And what specific security problems? > What source code files are these problems in? Or are they just > what-if rumors?
The sources at the time could not point me to any specific reports, just that the had read them somewhere. Since then I have concluded that they were talking about the 1999 paper: http://dri.sourceforge.net/doc/security_low_level.html and specifically the possible ability of a DRI client to use DMA to read and write anywhere in memory. I have asked on a DRI list if this paper is still valid and if so if there was a listing of devices and drivers that did not have the DMA problem. I have gotten no response so far. > >Without actually reading the drivers is there any place where > >these security problems are discussed and archived? > > You assume that there are known security issues which are also > not fixed. That is not the case however, but I urge anyone who > believes they know of such a security issue to report it > privately to [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] > I do believe that it takes time to fix a security issue. Since time to fix a security issue is non zero we can assume there exists a state where a security issue is not fixed. There might have been a place where past or current security problems were archived and what was done to fix them. You have answered that there is not. > How exactly would someone audit a binary only driver that there > is no publically available source code for? I'm not sure a heck > of a lot could be done without the source code. You'd have to > ask those vendors directly however if they've audited their own > source code for security issues. It is possible that these source for these drivers could have been released (non-publically) for third part audit. I will infer from your comments that you do not believe this has been done. ---- John Bartoszewski Email: [EMAIL PROTECTED] Senior Systems/Security Administrator .----------------------------------. Instructional Laboratories : If you are not terrified : Department of Computing Science : you are just repeating yourself. : University of Alberta, Canada `._ - Gilbert and George _.' _______________________________________________ XFree86 mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/xfree86