Subject: Re: X font library vulnerability vs. pkgsrc
To: Charles M. Hannum <abuse@spamalicious.com>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 10/10/2003 13:39:51
In message <200310092047.50584.abuse@spamalicious.com>, "Charles M. Hannum" wri
tes:
>On Thursday 09 October 2003 08:38 pm, Steve Bellovin wrote:
>> It isn't clear to me from the vulnerability notice just how much needs
>> to be rebuilt. Just some shared libraries? Executables, too? If the
>> latter, what about pkgsrc applications that use X?
>
>Prior to -current as of several days ago, libFS was only a static library, so
>you'd need to rebuild anything that uses it (including the X server, I
>think).
>
I followed the instructions in the advisory for rebuilding X. I'm
concerned that they're not sufficient.
Apart from the pkgsrc issue -- I built a wearisomely long list of
packages I'll have to rebuild -- I found a number of programs that
seem to have come from xsrc but weren't rebuilt. Some of these may be
dregs from a previous versions of X, but they're still in the source
tree. A few of them are font-related, so they're especially worrisome
after that advisory:
/usr/X11R6/bin/SuperProbe
/usr/X11R6/bin/bdftruncate.pl
/usr/X11R6/bin/fsinfo
/usr/X11R6/bin/ucs2any.pl
/usr/X11R6/bin/xftcache
/usr/X11R6/bin/xftlsfonts
/usr/X11R6/bin/xieperf
Should some of these be deleted? SuperProbe would seem to be in that
category, and the modification date on fsinfo is even older. (This
shouldn't be confused with /usr/sbin/fsinfo...)
(And of course, there are X applications in /usr/pkg/bin, so I have to
look more at that...)
--Steve Bellovin, http://www.research.att.com/~smb