In his role at X.org in the security team, Matthieu says he became aware of this bug on the 11th.
He did not tell any of us at OpenBSD. We were made aware bit more than 1 hour before public information went out. We were in the midst of an early OpenBSD release. If we had known, the OpenBSD 6.4 release could have been held back a week or two, till today. It would have been easy. Or even easier, we could have made a late decision to disable legacy drivers and lost the setuid bit. Which will probably happen in a commit later today. But we were not made aware, therefore OpenBSD 6.4 is also affected. As yet we don't have answers about why our X maintainer (on the X security team) and his team provided information to other projects (some who don't even ship with this new X server) but chose to not give us a heads-up which could have saved all the new 6.4 users a lot of grief. I don't understand how it happened. >From my point of view we all share a goal of getting fixes and preventative methods out to the community as fast as possible. Here an artificial delay was created which left a trivial vulnerability *known to the upstream* on everyone's machine, in an operating system with a *well known and published release cycle*. I feel an abdication of the duty of care occured here. That is the first localhost root hole in quite a long time.
