Bug#646156: pu: package xorg-server/2:1.7.7-14

To: Julien Cristau <jcristau@debian.org>, 646156@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#646156: pu: package xorg-server/2:1.7.7-14
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sat, 29 Oct 2011 13:38:47 -0400
Message-id: <CANTw=MNix_bkHMu7gyQ+qtzhAkzkQ0Xc46jLBMG2bFHrKqobYw@mail.gmail.com>
Reply-to: Michael Gilbert <michael.s.gilbert@gmail.com>, 646156@bugs.debian.org
In-reply-to: <20111021191256.GA11053@radis.liafa.jussieu.fr>
References: <20111021191256.GA11053@radis.liafa.jussieu.fr>

On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
> +Date:   Mon Oct 17 22:27:35 2011 +0200
> +
> +    Fix CVE-2011-4029: File permission change vulnerability.
> +
> +    Use fchmod() to change permissions of the lock file instead
> +    of chmod(), thus avoid the race that can be exploited to set
> +    a symbolic link to any file or directory in the system.

I wonder if at least this one should be treated with a real urgency?
On the surface its an info disclosure issue, which tend to be very low
urgency, but it's a pretty bad once since its actually a disclosure of
any file on the system (e.g. /etc/shadown), and there is an existing
poc exploit:
http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt

Best wishes,
Mike

Reply to:

Follow-Ups:
- Bug#646156: pu: package xorg-server/2:1.7.7-14
  - From: Julien Cristau <jcristau@debian.org>

References:
- Bug#646156: pu: package xorg-server/2:1.7.7-14
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: ben, edos-debcheck, arch:all
Next by Date: Re: Multiarch support in dpkg — really in time for wheezy?
Previous by thread: Processed: Re: Bug#646156: pu: package xorg-server/2:1.7.7-14
Next by thread: Bug#646156: pu: package xorg-server/2:1.7.7-14
Index(es):
- Date
- Thread