On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote: > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c > +Author: Matthieu Herrb <matthieu.he...@laas.fr> > +Date: Mon Oct 17 22:27:35 2011 +0200 > + > + Fix CVE-2011-4029: File permission change vulnerability. > + > + Use fchmod() to change permissions of the lock file instead > + of chmod(), thus avoid the race that can be exploited to set > + a symbolic link to any file or directory in the system.
I wonder if at least this one should be treated with a real urgency? On the surface its an info disclosure issue, which tend to be very low urgency, but it's a pretty bad once since its actually a disclosure of any file on the system (e.g. /etc/shadown), and there is an existing poc exploit: http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt Best wishes, Mike -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mnix_bkhmu7gyq+qtzhakzkq0xc46jlbmg2bfhrkqo...@mail.gmail.com