[Olaf, if you have any comments I'd like to hear them, otherwise please
feel free to disregard this mail.]
It was pointed out to me that this "error" might have been deliberate; Red
Hat might be able to choke down giving credit to Debian developers for
finding bugs, but not fixing them.
Hopefully this was just some momentary confusion on Red Hat's part and not
a deliberate effort to conceal the authorship of security fixes.
Red Hat could, of course, have written their own fix for the problem (it
wasn't complicated), but I do know that Preston Brown (who maintains
XFree86 for Red Hat) wrote me and asked for a copy of my patch, which I
also submitted to XFree86 and which was incorporated into their source tree
for inclusion in 3.3.6 (and 3.9.whatever-is-next, I presume).
BTW, have no fear, Debian folks, our fix for this problem went into
xbase-clients 3.3.4-2, which was installed on master on 4 September. A
version of XFree86 3.3.4 for Debian 2.1 ("slink") is available from
<http://www.debian.org/~branden/>.
Just a note to other developers; it's worth watching other distributions'
announcements to see whether or not they credit Debian work correctly.
It would be unfortunate if truth and acknowledgement of individuals' work
on free software were to become casualties of the raging distribution wars.
----- Forwarded message from branden -----
Date: Mon, 20 Sep 1999 00:30:04 -0400
To: pbrown@redhat.com
Subject: Re: [RHSA-1999:035-02] Updated XFree86 3.3.5 packages available
User-Agent: Mutt/1.0pre2i
Hi Preston,
In Red Hat's recent announcement, there is the following text:
> Thanks go to Branden Robinson <branden@debian.org> for discovering a
> possible symlink attack in the xkb extension initialization at server
> startup time.
I appreciate the mention, but I cannot claim credit for having discovered
this vulnerability. Credit for that, as far as I know, goes to Olaf Kirch
<okir@lst.de>, who announced it to the vendor-sec list.
I did, however, author the fix, which was accepted into the XFree86 source
tree upstream and which I mailed to you.
You might want to clarify the information in your announcement.
--
G. Branden Robinson | Any man who does not realize that he is
Debian GNU/Linux | half an animal is only half a man.
branden@ecn.purdue.edu | -- Thornton Wilder
cartoon.ecn.purdue.edu/~branden/ |
----- End forwarded message -----
--
G. Branden Robinson |
Debian GNU/Linux | Please do not look directly into laser
branden@ecn.purdue.edu | with remaining eye.
cartoon.ecn.purdue.edu/~branden/ |
Attachment:
pgpTx67qNfGY0.pgp
Description: PGP signature