Bug#646156: pu: package xorg-server/2:1.7.7-14

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Sat, Oct 29, 2011 at 2:58 PM, Julien Cristau wrote:
> On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
>
>> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
>> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
>> > +Author: Matthieu Herrb <matthieu.herrb@laas.fr>
>> > +Date:   Mon Oct 17 22:27:35 2011 +0200
>> > +
>> > +    Fix CVE-2011-4029: File permission change vulnerability.
>> > +
>> > +    Use fchmod() to change permissions of the lock file instead
>> > +    of chmod(), thus avoid the race that can be exploited to set
>> > +    a symbolic link to any file or directory in the system.
>>
>> I wonder if at least this one should be treated with a real urgency?
>> On the surface its an info disclosure issue, which tend to be very low
>> urgency, but it's a pretty bad once since its actually a disclosure of
>> any file on the system (e.g. /etc/shadown), and there is an existing
>> poc exploit:
>> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
>>
> Moritz said "use p-u", I'm not going to second-guess him.

This was before the real impact of the issue was clear (I believe),
and definitely before the exploit code existed.  Personally, I think
this needs to get out to squeeze users ASAP.

Best wishes,
Mike