In message <200310092047.50584.abuse@spamalicious.com>, "Charles M. Hannum" wri
tes:
>On Thursday 09 October 2003 08:38 pm, Steve Bellovin wrote:
>> It isn't clear to me from the vulnerability notice just how much needs
>> to be rebuilt.  Just some shared libraries?  Executables, too?  If the
>> latter, what about pkgsrc applications that use X?
>
>Prior to -current as of several days ago, libFS was only a static library, so 
>you'd need to rebuild anything that uses it (including the X server, I 
>think).
>

I followed the instructions in the advisory for rebuilding X.  I'm 
concerned that they're not sufficient.

Apart from the pkgsrc issue -- I built a wearisomely long list of 
packages I'll have to rebuild -- I found a number of programs that 
seem to have come from xsrc but weren't rebuilt.  Some of these may be 
dregs from a previous versions of X, but they're still in the source 
tree.  A few of them are font-related, so they're especially worrisome 
after that advisory:

/usr/X11R6/bin/SuperProbe
/usr/X11R6/bin/bdftruncate.pl
/usr/X11R6/bin/fsinfo
/usr/X11R6/bin/ucs2any.pl
/usr/X11R6/bin/xftcache
/usr/X11R6/bin/xftlsfonts
/usr/X11R6/bin/xieperf

Should some of these be deleted?  SuperProbe would seem to be in that 
category, and the modification date on fsinfo is even older.  (This 
shouldn't be confused with /usr/sbin/fsinfo...)

(And of course, there are X applications in /usr/pkg/bin, so I have to 
look more at that...)


		--Steve Bellovin, http://www.research.att.com/~smb