I'm group replying, so Ray, please don't take some of the griping below personally. :) On Wed, Jun 03, 1998 at 12:12:39PM -0400, Joey Hess wrote: > jdassen@wi.leidenuniv.nl wrote: > > Package: xbase > > Version: 3.3.2.1-1 > > Severity: critical > > > > XFree86 3.3.2.2 has been released. According to > > http://www.xfree86.org/3.3.2/RELNOTES3.html#3 : > > :3.3.2 patch 2 (aka 3.3.2.2) fixes some security bugs, a denial of service > > :problem with xdm, a few gcc 2.8.x-related build problems and updates > > :scanpci. The security bugs fixed are buffer overruns in the X11, Xt, Xaw > > :and Xmu libraries This affects xterm and any other setuid-root program that > > :uses these libraries. > > Hi, I'm very out of touch lately (stranded in Atlantic City by the beach > with no internet, woa is me ;-), and I maintain nextaw. Is this the same > buffer overflow problem in Xaw and xterm that came up a while ago and also > affected nextaw and xaw95 and xaw3d, or a new one? > > If it's a new one, I request that someone get nextaw fixed for me, I won't > be done with this trip for 2 more weeks. It's a new one. XFree86 has released two public patches addressing security issues in the past few weeks. 3.3.2.1-1 contains the first patch, but not the second. The second public patch has been applied to the source tree that will become 3.3.2.2-1, but that build has not been made yet. I expect the maintainers of nextaw, xaw95, and xaw3d will want to look at that second public patch. It's at <http://www.xfree86.org/> and also in /debian2/tmp/branden/junk on master. 3.3.2.2-1 is being held up for a few reasons. 1) We're stuck between a rock and a hard place when it comes to xterm and a potential wrapper for it. Specifically, there are some glibc 2.1-specific functions that would make life a lot easier regarding pty allocation, but this solution in its most elegant form would require the cooperation of the libc6 maintainer. The X Strike Force page <http://master.debian.org/~branden/xsf.html> has some pointers about this. 2) There needs to be a new terminal type, xterm-debian, which tracks the latest XFree86 xterm entry but incorporates our keyboard policy (and anything else we want to customize). I need to coordinate with the ncurses-base maintainer and some other folks about this. Ideally I should provide an xterm-debian termcap entry to the maintainer of termcap-compat as well. There are some issues with terminfo/termcap I don't grok yet, so yesterday I bought the O'Reilly book on them and will be dredging it for clues. An "xterm-debian" terminal type may sound strange at first, but please don't jump on me saying it's a bad idea. Ian Jackson, Mark Baker and I took at this issue and it looks like the best solution. I don't have the bug number for that discussion handy. 3) We have the magical mystical respawning-xdm-on-broken-configuration problem. Topi Miettinen found code in xdm that has apparently been written to suppress this (xdm gives up after receiving fatal errors a few times from the server), but for some reason this code isn't running. People are understandably upset about xdm running away with their console like this. I don't know if this is something we can practically fix right now. I'll attempt to prepare a more reasoned response to Richard Braakman's helpful mail about release-critical bugs against XFree86 this weekend, but the above cover the outstanding issues to my mind. I need help with this stuff folks -- if people can help with 1) and 3), I'm pretty sure I have 2) under control. -- G. Branden Robinson | Never underestimate the power of human Purdue University | stupidity. branden@purdue.edu | -- Robert Heinlein http://www.ecn.purdue.edu/~branden/ |
Attachment:
pgpF7HuPCtrGd.pgp
Description: PGP signature