CVS commit: pkgsrc/x11/modular-xorg-server

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/x11/modular-xorg-server
From: "Ignatios Souvatzis" <is%netbsd.org@localhost>
Date: Sat, 15 Dec 2012 09:26:07 +0000

Module Name:    pkgsrc
Committed By:   is
Date:           Sat Dec 15 09:26:07 UTC 2012

Modified Files:
        pkgsrc/x11/modular-xorg-server: Makefile distinfo
Added Files:
        pkgsrc/x11/modular-xorg-server/patches: patch-os_utils.c

Log Message:
Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file. Signed-off-by: Matthieu Herrb <matthieu.herrb%laas.fr@localhost>
Reviewed-by: Alan Coopersmith <alan.coopersmith%oracle.com@localhost>

Fix CVE-2011-4029: File permission change vulnerability.
Use fchmod() to change permissions of the lock file instead of
chmod(), thus avoid the race that can be exploited to set a symbolic
link to any file or directory in the system. Signed-off-by: Matthieu
Herrb <matthieu.herrb%laas.fr@localhost> Reviewed-by: Alan Coopersmith
<alan.coopersmith%oracle.com@localhost>


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 pkgsrc/x11/modular-xorg-server/Makefile
cvs rdiff -u -r1.46 -r1.47 pkgsrc/x11/modular-xorg-server/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/x11/modular-xorg-server/patches/patch-os_utils.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/net/wmget
Next by Date: CVS commit: pkgsrc/pkgtools/gnome-packagekit
Previous by Thread: CVS commit: pkgsrc/net/wmget
Next by Thread: CVS commit: pkgsrc/pkgtools/gnome-packagekit
Indexes:

Home | Main Index | Thread Index | Old Index