Re: XFree86 4.2.1 update release and Xlib security problem (fwd)
On Thu, 5 Sep 2002, Branden Robinson wrote:
> On Thu, Sep 05, 2002 at 02:31:55PM +1000, Neale Banks wrote:
> > Does this throw the proverbial spanner in the plans - or is it just a
> > minor hiccup?
>
> In my opinion, it's a minor hiccup at worst.
>
> * No released version of Debian is vulnerable to this exploit.
> * Not even Debian unstable is vulnerable, since XFree86 4.2.0 hasn't
> been released to it yet.
> * Anyone using my pre-release .debs is potentially vulnerable.
> * If you are alarmed by this, downgrade xlibs to 4.1.0-17. You'll need
> to downgrade a few other packages as well.
> * The impact of this vulnerability hasn't been established yet.
> * Debian doesn't ship any setuid root X clients to my knowledge.
> * Check the permissions and ownership on your screen locker programs,
> such as xlock and xscreensaver.
> * As long as any privileged X clients aren't coded to exploit this
> vulnerability, there is no problem. Setuid and setgid X clients
> should be carefully scruntinzed anyway.
Not eactly where I was coming from (I expect this kind of stuff
occasionally - it's the price of living on the edge ;-) - but thanks for
the clarification.
> This doesn't really disrupt my release plans at all. The next
> pre-release will be 4.2.1-0pre1v1 instead of 4.2.0-0pre1v5.
Ah, OK (the impact inconvenience of this is more where I was coming from).
I look forward to 4.2.1-0pre1v1 "when it's ready".
> I knew about this vulnerability a couple of weeks ago, but was sworn to
> secrecy.
That's cool (at least you knew enough to refrain from doing anything that
might have complicated things).
Thanks,
Neale.
Reply to: