This may or may not apply to any released packages, but various people have unofficial XFree86 4.3.x packages floating around that probably need to be fixed. ----- Forwarded message from Roland Scheidegger <rscheidegger_lists@hispeed.ch> ----- From: Roland Scheidegger <rscheidegger_lists@hispeed.ch> Date: Thu, 12 Feb 2004 13:44:09 +0100 Subject: [Dri-devel] XFree86 local root exploit To: DRI developer's list <dri-devel@lists.sourceforge.net> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 There's a buffer overflow in XFree86 allowing local attackers to gain root privileges. Here's the patch, ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff the advisory http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false and a demo exploit also already has been published. I think it would be a good idea if someone could apply the patch to the dri cvs (applies with some fuzz and offset), if it is vulnerable. Roland ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click -- _______________________________________________ Dri-devel mailing list Dri-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dri-devel ----- End forwarded message ----- -- Ryan Underwood, <nemesis@icequake.net>
Attachment:
signature.asc
Description: Digital signature