> Anything short of a specific example of a real security problem > is nothing more than heresy. > A quibble really, but I think you mean "hearsay" although I concede that heresy could be appropriate too. :) I'm sorry, I just couldn't resist...
Cyn > -----Original Message----- > From: Mike A. Harris [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 12, 2003 8:20 PM > To: [EMAIL PROTECTED] > Subject: [XFree86] Re: Security in new drivers > > > On Wed, 12 Feb 2003, John Bartoszewski wrote: > > >I've heard comments from various people that in some drivers for > >new cards that there are local security problems. The example > >that was brought up was the driver for the Radeon 7000 being > >able to write any where in memory and therefor compromise > >security. > > Heard comments from whom? And what specific security problems? > What source code files are these problems in? Or are they just > what-if rumors? > > Seriously, if someone has a claim that one of the drivers is > insecure, then they would know the exact area of the driver > source that such security problems exist, and one would expect > that they would report the problems in a responsible manner to > appropriate developers privately to be examined. > > Anything short of a specific example of a real security problem > is nothing more than heresy. > > > >Without actually reading the drivers is there any place where > >these security problems are discussed and archived? > > You assume that there are known security issues which are also > not fixed. That is not the case however, but I urge anyone who > believes they know of such a security issue to report it > privately to [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] > > > >Is there a good forum to ask if a driver is secure? > > If a driver wasn't secure, it would be either fixed, or likely > disabled and removed. > > >Have there been audits on drivers directly from Nvidia, Matrox > >or ATI? > > How exactly would someone audit a binary only driver that there > is no publically available source code for? I'm not sure a heck > of a lot could be done without the source code. You'd have to > ask those vendors directly however if they've audited their own > source code for security issues. > > > > -- > Mike A. Harris > > > _______________________________________________ > XFree86 mailing list > [EMAIL PROTECTED] > http://XFree86.Org/mailman/listinfo/xfree86 > _______________________________________________ XFree86 mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/xfree86
