xorg-server: Changes to 'debian-unstable'

To: debian-x@lists.debian.org
Subject: xorg-server: Changes to 'debian-unstable'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Thu, 14 May 2009 19:19:48 +0000
Message-id: <[🔎] E1M4gT6-0003qF-3U@alioth.debian.org>

 debian/changelog      |    8 ++++++++
 debian/local/xvfb-run |   13 +++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)

New commits:
commit ab5b900197966c25becdf9ad62861643749e01be
Author: Julien Cristau <jcristau@debian.org>
Date:   Thu May 14 21:14:16 2009 +0200

    xvfb-run: use mktemp to create the temporary directory.

diff --git a/debian/changelog b/debian/changelog
index 60b1dd8..7c2b114 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ xorg-server (2:1.6.1.901-3) UNRELEASED; urgency=low
 
   * xvfb-run: don't pass the magic cookie to xauth on the command line
     (CVE-2009-1573).  Thanks, Loïc Minier!
+  * xvfb-run: use mktemp to create the temporary directory.
 
  -- Julien Cristau <jcristau@debian.org>  Thu, 14 May 2009 21:05:26 +0200
 
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index b11130a..4c2f4e0 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -147,12 +147,8 @@ trap clean_up EXIT
 # If the user did not specify an X authorization file to use, set up a temporary
 # directory to house one.
 if [ -z "$AUTHFILE" ]; then
-    XVFB_RUN_TMPDIR="${TMPDIR:-/tmp}/$PROGNAME.$$"
-    if ! mkdir -p -m 700 "$XVFB_RUN_TMPDIR"; then
-        error "temporary directory $XVFB_RUN_TMPDIR already exists"
-        exit 4
-    fi
-    AUTHFILE=$(tempfile -n "$XVFB_RUN_TMPDIR/Xauthority")
+    XVFB_RUN_TMPDIR="$(mktemp -d -t $PROGNAME.XXXXXX)"
+    AUTHFILE="$XVFB_RUN_TMPDIR/Xauthority"
 fi
 
 # Start Xvfb.

commit ecf09e571198ee16256a5efd1c23fd286a4f2249
Author: Julien Cristau <jcristau@debian.org>
Date:   Thu May 14 21:08:21 2009 +0200

    xvfb-run: don't pass the magic cookie to xauth on the command line
    
    Use xauth source to pass the cookie via stdin.
    This addresses CVE-2009-1573.  Thanks, Loïc Minier!

diff --git a/debian/changelog b/debian/changelog
index 8a2d6f3..60b1dd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.6.1.901-3) UNRELEASED; urgency=low
+
+  * xvfb-run: don't pass the magic cookie to xauth on the command line
+    (CVE-2009-1573).  Thanks, Loïc Minier!
+
+ -- Julien Cristau <jcristau@debian.org>  Thu, 14 May 2009 21:05:26 +0200
+
 xorg-server (2:1.6.1.901-2) unstable; urgency=low
 
   * Merge from upstream server-1.6-branch (commit a9f85dce).
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
 
 # Start Xvfb.
 MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
-  >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
 XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
   2>&1 &
 XVFBPID=$!

Reply to:

Prev by Date: Bug#524280: Display broken beyond recognition after upgrade to 1:6.12.2-1
Next by Date: xorg-server: Changes to 'debian-unstable'
Previous by thread: xorg-server: Changes to 'debian-unstable'
Next by thread: xorg-server: Changes to 'debian-unstable'
Index(es):
- Date
- Thread