Subject: Re: X font library vulnerability vs. pkgsrc
To: Steven M. Bellovin <smb@research.att.com>
From: Frederick Bruckman <fredb@immanent.net>
List: netbsd-users
Date: 10/10/2003 19:22:10
On Fri, 10 Oct 2003, Steven M. Bellovin wrote:
> Apart from the pkgsrc issue -- I built a wearisomely long list of
> packages I'll have to rebuild -- I found a number of programs that
> seem to have come from xsrc but weren't rebuilt. Some of these may be
> dregs from a previous versions of X, but they're still in the source
> tree. A few of them are font-related, so they're especially worrisome
> after that advisory:
>
> /usr/X11R6/bin/SuperProbe
> /usr/X11R6/bin/bdftruncate.pl
> /usr/X11R6/bin/fsinfo
> /usr/X11R6/bin/ucs2any.pl
> /usr/X11R6/bin/xftcache
> /usr/X11R6/bin/xftlsfonts
> /usr/X11R6/bin/xieperf
>
> Should some of these be deleted? SuperProbe would seem to be in that
> category, and the modification date on fsinfo is even older. (This
> shouldn't be confused with /usr/sbin/fsinfo...)
The perl scripts were recently obsoleted by C source executables.
Many of the others look to be for XFree 3.*. The exact lists of all
files distributed with NetBSD are available in the base sources, in
"src/distrib/sets/lists".
# pwd
/usr/src/distrib/sets/lists
# grep xft x*/obsolete*
xbase4/obsolete.mi:./usr/X11R6/bin/xftcache
xbase4/obsolete.mi:./usr/X11R6/man/cat1/xftcache.0
shows that "xftcache" would be deleted by "sysinstall". Probably,
"xftlsfonts" is obsolete, too, but it wasn't judged to be dangerous,
so it didn't make the list.
Frederick