[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#22928: New upstream security fix release

I'm group replying, so Ray, please don't take some of the griping below
personally.  :)

On Wed, Jun 03, 1998 at 12:12:39PM -0400, Joey Hess wrote:
> jdassen@wi.leidenuniv.nl wrote:
> > Package: xbase
> > Version:
> > Severity: critical
> > 
> > XFree86 has been released. According to
> > http://www.xfree86.org/3.3.2/RELNOTES3.html#3 :
> > :3.3.2 patch 2 (aka fixes some security bugs, a denial of service
> > :problem with xdm, a few gcc 2.8.x-related build problems and updates
> > :scanpci. The security bugs fixed are buffer overruns in the X11, Xt, Xaw
> > :and Xmu libraries This affects xterm and any other setuid-root program that
> > :uses these libraries.
> Hi, I'm very out of touch lately (stranded in Atlantic City by the beach
> with no internet, woa is me ;-), and I maintain nextaw. Is this the same
> buffer overflow problem in Xaw and xterm that came up a while ago and also
> affected nextaw and xaw95 and xaw3d, or a new one?
> If it's a new one, I request that someone get nextaw fixed for me, I won't
> be done with this trip for 2 more weeks.

It's a new one.  XFree86 has released two public patches addressing
security issues in the past few weeks. contains the first patch,
but not the second.  The second public patch has been applied to the source
tree that will become, but that build has not been made yet.

I expect the maintainers of nextaw, xaw95, and xaw3d will want to look at
that second public patch.  It's at <http://www.xfree86.org/> and also in
/debian2/tmp/branden/junk on master. is being held up for a few reasons.

1) We're stuck between a rock and a hard place when it comes to xterm and a
potential wrapper for it.  Specifically, there are some glibc 2.1-specific
functions that would make life a lot easier regarding pty allocation, but
this solution in its most elegant form would require the cooperation of the
libc6 maintainer.  The X Strike Force page
<http://master.debian.org/~branden/xsf.html> has some pointers about this.

2) There needs to be a new terminal type, xterm-debian, which tracks the
latest XFree86 xterm entry but incorporates our keyboard policy (and
anything else we want to customize).  I need to coordinate with the
ncurses-base maintainer and some other folks about this.  Ideally I should
provide an xterm-debian termcap entry to the maintainer of termcap-compat
as well.  There are some issues with terminfo/termcap I don't grok yet, so
yesterday I bought the O'Reilly book on them and will be dredging it for
clues.  An "xterm-debian" terminal type may sound strange at first, but
please don't jump on me saying it's a bad idea.  Ian Jackson, Mark Baker
and I took at this issue and it looks like the best solution.  I don't have
the bug number for that discussion handy.

3) We have the magical mystical respawning-xdm-on-broken-configuration
problem.  Topi Miettinen found code in xdm that has apparently been written
to suppress this (xdm gives up after receiving fatal errors a few times
from the server), but for some reason this code isn't running.  People are
understandably upset about xdm running away with their console like this.
I don't know if this is something we can practically fix right now.

I'll attempt to prepare a more reasoned response to Richard Braakman's
helpful mail about release-critical bugs against XFree86 this weekend, but
the above cover the outstanding issues to my mind.

I need help with this stuff folks -- if people can help with 1) and 3), I'm
pretty sure I have 2) under control.

G. Branden Robinson                 |  Never underestimate the power of human
Purdue University                   |  stupidity.
branden@purdue.edu                  |  -- Robert Heinlein
http://www.ecn.purdue.edu/~branden/ |

Attachment: pgpF7HuPCtrGd.pgp
Description: PGP signature

Reply to: