Bug#646156: pu: package xorg-server/2:1.7.7-14

[Julien Cristau <jcristau@debian.org>]

On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:

> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
> > +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
> > +Date:   Mon Oct 17 22:27:35 2011 +0200
> > +
> > +    Fix CVE-2011-4029: File permission change vulnerability.
> > +
> > +    Use fchmod() to change permissions of the lock file instead
> > +    of chmod(), thus avoid the race that can be exploited to set
> > +    a symbolic link to any file or directory in the system.
> 
> I wonder if at least this one should be treated with a real urgency?
> On the surface its an info disclosure issue, which tend to be very low
> urgency, but it's a pretty bad once since its actually a disclosure of
> any file on the system (e.g. /etc/shadown), and there is an existing
> poc exploit:
> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
> 
Moritz said "use p-u", I'm not going to second-guess him.

Cheers,
Julien