Bug#398460: marked as done (CVE-2006-5397: libX11 XCOMPOSEFILE File Descriptor Leak)
Your message dated Tue, 14 Nov 2006 17:47:13 -0800
with message-id <E1Gk9rt-00072m-2W@spohr.debian.org>
and subject line Bug#398460: fixed in libx11 2:1.0.3-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libx11-6
Version: 2:1.0.3-2
Severity: important
Tags: security
A vulnerability has been found in libx11:
The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2
and 1.0.3 opens a file for reading twice using the same file
descriptor, which causes a file descriptor leak that allows local
users to read files specified by the XCOMPOSEFILE environment variable
via the duplicate file descriptor.
See
https://bugs.freedesktop.org/show_bug.cgi?id=8699
Please mention the CVE id in the changelog.
--- End Message ---
--- Begin Message ---
Source: libx11
Source-Version: 2:1.0.3-3
We believe that the bug you reported is fixed in the latest version of
libx11, which is due to be installed in the Debian FTP archive:
libx11-6-dbg_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-6-dbg_1.0.3-3_i386.deb
libx11-6_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-6_1.0.3-3_i386.deb
libx11-data_1.0.3-3_all.deb
to pool/main/libx/libx11/libx11-data_1.0.3-3_all.deb
libx11-dev_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-dev_1.0.3-3_i386.deb
libx11_1.0.3-3.diff.gz
to pool/main/libx/libx11/libx11_1.0.3-3.diff.gz
libx11_1.0.3-3.dsc
to pool/main/libx/libx11/libx11_1.0.3-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 398460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Nusinow <dnusinow@debian.org> (supplier of updated libx11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 14 Nov 2006 19:56:01 -0500
Source: libx11
Binary: libx11-6-dbg libx11-data libx11-6 libx11-dev
Architecture: source i386 all
Version: 2:1.0.3-3
Distribution: unstable
Urgency: high
Maintainer: David Nusinow <dnusinow@debian.org>
Changed-By: David Nusinow <dnusinow@debian.org>
Description:
libx11-6 - X11 client-side library
libx11-6-dbg - X11 client-side library (debug package)
libx11-data - X11 client-side library
libx11-dev - X11 client-side library (development headers)
Closes: 398460
Changes:
libx11 (2:1.0.3-3) unstable; urgency=high
.
[ Julien Cristau ]
* Urgency high for security bugfix (CVE-2006-5397).
* Add patch 020_CVE-2006-5397 to fix double fopen() of compose file
(closes: #398460). Thanks to Stefan Fritsch for the report.
Files:
4c4b7ddb7d028e6ba5e44bd7c5b6de7e 979 x11 optional libx11_1.0.3-3.dsc
a25715bb1345b5168a8b8ec519ec982a 206622 x11 optional libx11_1.0.3-3.diff.gz
5dabdfbae3cd6deb3701528a7539f093 154346 x11 optional libx11-data_1.0.3-3_all.deb
fbe06b5e75d2f817c6958c415381303f 567360 x11 optional libx11-6_1.0.3-3_i386.deb
599bf6758ddbad2fb0040ff05c7ab369 2450656 x11 extra libx11-6-dbg_1.0.3-3_i386.deb
61b3edf190aefe3bbf6bb5ebbab2110d 1268248 x11 optional libx11-dev_1.0.3-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFWm4TyLfpNdY0ad8RAqZbAJ4xE8B8aEhRqSaoNWpAcMCZ/wRwtwCggaLP
juJMubQbmoWseFNkw5Ic+AQ=
=0SrW
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: