Overview
Request 89751 accepted
Fixes for two vulnerabilities in X server announced in
http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html
CVE-2011-4028: File disclosure vulnerability:
It is possible to deduce if a file exists or not by exploiting the
way that Xorg creates its lock files.
This is caused by the fact that the X server is behaving differently
if the lock file already exists as a symbolic link pointing to an
existing or non-existing file.
CVE-2011-4029: File permission change vulnerability:
It is possible for a non-root user to set the permissions for
all users on any file or directory to 444, giving unwanted read
access or causing denies of service (by removing execute permission).
This is caused by a race between creating the lock file and setting
its access modes.
Removed unused patches 165-167 to make "osc commit" stop complaining.
Request History
mkubecek created request
Fixes for two vulnerabilities in X server announced in
http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html
CVE-2011-4028: File disclosure vulnerability:
It is possible to deduce if a file exists or not by exploiting the
way that Xorg creates its lock files.
This is caused by the fact that the X server is behaving differently
if the lock file already exists as a symbolic link pointing to an
existing or non-existing file.
CVE-2011-4029: File permission change vulnerability:
It is possible for a non-root user to set the permissions for
all users on any file or directory to 444, giving unwanted read
access or causing denies of service (by removing execute permission).
This is caused by a race between creating the lock file and setting
its access modes.
Removed unused patches 165-167 to make "osc commit" stop complaining.
lijews accepted request
ok, thanks
