debian/changelog | 13 +++++++++++++ debian/patches/508_CVE-2011-4028.patch | 15 +++++++++++++++ debian/patches/509_CVE-2011-4029.patch | 15 +++++++++++++++ debian/patches/series | 2 ++ 4 files changed, 45 insertions(+)
New commits: commit 81c266120481dfdd067dbaebc25c47fde45ec4dc Author: Chase Douglas <chase.doug...@ubuntu.com> Date: Tue Oct 18 17:30:28 2011 -0700 Sync with oneiric security update * SECURITY UPDATE: file existence disclosure - debian/patches/508_CVE-2011-4028.patch: open lockfile with O_NOFOLLOW in os/utils.c. - CVE-2011-4028 * SECURITY UPDATE: privilege escalation via file permission change - debian/patches/509_CVE-2011-4029.patch: use fchmod to prevent race in os/utils.c. - CVE-2011-4029 diff --git a/debian/changelog b/debian/changelog index f93edc6..6de56a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +xorg-server (2:1.10.4-1ubuntu4.1) oneiric-security; urgency=low + + * SECURITY UPDATE: file existence disclosure + - debian/patches/508_CVE-2011-4028.patch: open lockfile with O_NOFOLLOW + in os/utils.c. + - CVE-2011-4028 + * SECURITY UPDATE: privilege escalation via file permission change + - debian/patches/509_CVE-2011-4029.patch: use fchmod to prevent race + in os/utils.c. + - CVE-2011-4029 + + -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Thu, 13 Oct 2011 10:55:35 -0400 + xorg-server (2:1.10.4-1ubuntu4) oneiric; urgency=low * Send touch ownership event for subsequent touch grabs (LP: #861906) diff --git a/debian/patches/508_CVE-2011-4028.patch b/debian/patches/508_CVE-2011-4028.patch new file mode 100644 index 0000000..851fbaa --- /dev/null +++ b/debian/patches/508_CVE-2011-4028.patch @@ -0,0 +1,15 @@ +Description: fix file existence disclosure +Author: Matthieu Herrb <matth...@herrb.eu> + +diff -Nur xorg-server-1.10.4/os/utils.c xorg-server-1.10.4.new/os/utils.c +--- xorg-server-1.10.4/os/utils.c 2011-10-13 10:54:12.296825952 -0400 ++++ xorg-server-1.10.4.new/os/utils.c 2011-10-13 10:54:38.948826635 -0400 +@@ -330,7 +330,7 @@ + /* + * Read the pid from the existing file + */ +- lfd = open(LockFile, O_RDONLY); ++ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); + if (lfd < 0) { + unlink(tmp); + FatalError("Can't read lock file %s\n", LockFile); diff --git a/debian/patches/509_CVE-2011-4029.patch b/debian/patches/509_CVE-2011-4029.patch new file mode 100644 index 0000000..2c9368a --- /dev/null +++ b/debian/patches/509_CVE-2011-4029.patch @@ -0,0 +1,15 @@ +Description: fix privilege escalation via file permission change +Author: Matthieu Herrb <matth...@herrb.eu> + +diff -Nur xorg-server-1.10.4/os/utils.c xorg-server-1.10.4.new/os/utils.c +--- xorg-server-1.10.4/os/utils.c 2011-10-13 10:54:49.808826913 -0400 ++++ xorg-server-1.10.4.new/os/utils.c 2011-10-13 10:55:10.448827440 -0400 +@@ -309,7 +309,7 @@ + FatalError("Could not create lock file in %s\n", tmp); + (void) sprintf(pid_str, "%10ld\n", (long)getpid()); + (void) write(lfd, pid_str, 11); +- (void) chmod(tmp, 0444); ++ (void) fchmod(lfd, 0444); + (void) close(lfd); + + /* diff --git a/debian/patches/series b/debian/patches/series index 4de3891..e7044e5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -40,3 +40,5 @@ 505_Xi_ensure_replayed_touch_events_have_devices.patch 506_Xi_ensure_touch_events_update_currentTime.patch 507_touch_grab_reject_send_ownership.patch +508_CVE-2011-4028.patch +509_CVE-2011-4029.patch -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1rgkdb-0005hw...@vasks.debian.org