In article <20020907104212.52CFC4B22@coconut.itojun.org>,
	itojun@iijlab.net writes:
> 	where could i find that statement?

It was in my commit message:

Fix security problem in the i18n module code for Xlib that was integrated
in XFree86 4.2.0 causing a vulnerability in setuid clients. For XFree86
only xterm is concerned. XFree86 versions before 4.2.0 are not vulnerable.
The patches were provided by Matthieu Herrb of the XFree86 project.

> URL?

I don't know one yet. The CERT number is VU#901307, you might find
that information in the near future there.

> as far as i checked they use the same codepath therefore not fixing
> 3.3 seems to be a wrong thing.

The vulnerability was in "xsrc/xc/lib/X11/XlcDL.c" which doesn't exist
in the XFree86 3.3.6 source tree. Your change will prevent setuid
binaries from loading locale data files from user supplied directories
which is probably a good thing but not required to fix any known
problems.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/