Bug#646156: pu: package xorg-server/2:1.7.7-14
On Sat, Oct 29, 2011 at 2:58 PM, Julien Cristau wrote:
> On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote:
>> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote:
>> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c
>> > +Author: Matthieu Herrb <firstname.lastname@example.org>
>> > +Date: Mon Oct 17 22:27:35 2011 +0200
>> > +
>> > + Fix CVE-2011-4029: File permission change vulnerability.
>> > +
>> > + Use fchmod() to change permissions of the lock file instead
>> > + of chmod(), thus avoid the race that can be exploited to set
>> > + a symbolic link to any file or directory in the system.
>> I wonder if at least this one should be treated with a real urgency?
>> On the surface its an info disclosure issue, which tend to be very low
>> urgency, but it's a pretty bad once since its actually a disclosure of
>> any file on the system (e.g. /etc/shadown), and there is an existing
>> poc exploit:
> Moritz said "use p-u", I'm not going to second-guess him.
This was before the real impact of the issue was clear (I believe),
and definitely before the exploit code existed. Personally, I think
this needs to get out to squeeze users ASAP.