Re: OT: Thoe's x commit and homeland security audit
On Tue, May 02, 2006 at 09:39:38PM -0400, Steve Shockley wrote: Ste Jones wrote: 7 days before the official patch 7 weeks. 7 days, watch here: Theo's patch +++ 2006/03/10 17:29:51 1.14 Xorg's patch +++ 2006-03-17 23:29:35.0 +0200 -- | /\ ASCII Ribbon | Jonathan Glaschke - Lorenz-Goertz-Stra_e 71, | \ / Campaign Against | 41238 Moenchengladbach, Germany; | XHTML In Mail | jabber: [EMAIL PROTECTED] | / \ And News | http://jonathan-glaschke.de/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OT: Thoe's x commit and homeland security audit
On 03/05/06, Ste Jones [EMAIL PROTECTED] wrote: Is Theo the automated code scanner mentioned here? http://news.yahoo.com/s/zd/20060502/tc_zd/177195 In reference to this commit http://www.openbsd.org/cgi-bin/cvsweb/XF4/xc/programs/Xserver/hw/xfree86/common/xf86Init.c.diff?r1=1.13r2=1.14 7 days before the official patch http://xorg.freedesktop.org/releases/X11R6.9.0/patches/x11r6.9.0-geteuid.diff Just curious I think Theo's comment also deserves some attention: proper geteuid calls because suse hires people who mistype things The article doesn't really mention this, but it looks like it's not one of the original X bugs, but the one that was added in X.Org 6.9.0 by, according to Theo, SuSE. I.e. it could not have been discovered two years ago, because it didn't exist at that time. :) One other good conclusion, is that no OpenBSD -RELEASEs were ever affected by this bug. :) Constantine.
Re: OT: Thoe's x commit and homeland security audit
On 03/05/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: On 03/05/06, Ste Jones [EMAIL PROTECTED] wrote: Is Theo the automated code scanner mentioned here? http://news.yahoo.com/s/zd/20060502/tc_zd/177195 In reference to this commit http://www.openbsd.org/cgi-bin/cvsweb/XF4/xc/programs/Xserver/hw/xfree86/common/xf86Init.c.diff?r1=1.13r2=1.14 7 days before the official patch http://xorg.freedesktop.org/releases/X11R6.9.0/patches/x11r6.9.0-geteuid.diff Just curious I think Theo's comment also deserves some attention: proper geteuid calls because suse hires people who mistype things The article doesn't really mention this, but it looks like it's not one of the original X bugs, but the one that was added in X.Org 6.9.0 by, according to Theo, SuSE. I.e. it could not have been discovered two years ago, because it didn't exist at that time. :) One other good conclusion, is that no OpenBSD -RELEASEs were ever affected by this bug. :) That is to say, the article is rather misleading -- it even mentions OS X, but OS X includes xfree86 4.4 (http://www.apple.com/macosx/features/x11/), which doesn't have this bug. I.e. only a very limited number of actual non-linux installations would be affected. Nothing to worry here, but it'll be fun to know how it actually was discovered. :)
Re: OT: Thoe's x commit and homeland security audit
On 5/3/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: Nothing to worry here, but it'll be fun to know how it actually was discovered. :) http://blogs.sun.com/roller/page/alanc?entry=security_hole_in_xorg_6
Re: OT: Thoe's x commit and homeland security audit
Ste Jones wrote: 7 days before the official patch 7 weeks.
