On Sat, Oct 29, 2011 at 2:58 PM, Julien Cristau wrote: > On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote: > >> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote: >> > +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c >> > +Author: Matthieu Herrb <matthieu.he...@laas.fr> >> > +Date: Mon Oct 17 22:27:35 2011 +0200 >> > + >> > + Fix CVE-2011-4029: File permission change vulnerability. >> > + >> > + Use fchmod() to change permissions of the lock file instead >> > + of chmod(), thus avoid the race that can be exploited to set >> > + a symbolic link to any file or directory in the system. >> >> I wonder if at least this one should be treated with a real urgency? >> On the surface its an info disclosure issue, which tend to be very low >> urgency, but it's a pretty bad once since its actually a disclosure of >> any file on the system (e.g. /etc/shadown), and there is an existing >> poc exploit: >> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt >> > Moritz said "use p-u", I'm not going to second-guess him.
This was before the real impact of the issue was clear (I believe), and definitely before the exploit code existed. Personally, I think this needs to get out to squeeze users ASAP. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MM8T-UHFtfB9v_Oo+RG=KisGRXM=4rmczsownh_htk...@mail.gmail.com