Subject: Re: CVS commit: xsrc/xc
To: None <>
From: Matthias Scheler <>
List: tech-x11
Date: 09/07/2002 13:07:00
In article <>, writes:
> 	where could i find that statement?

It was in my commit message:

Fix security problem in the i18n module code for Xlib that was integrated
in XFree86 4.2.0 causing a vulnerability in setuid clients. For XFree86
only xterm is concerned. XFree86 versions before 4.2.0 are not vulnerable.
The patches were provided by Matthieu Herrb of the XFree86 project.

> URL?

I don't know one yet. The CERT number is VU#901307, you might find
that information in the near future there.

> as far as i checked they use the same codepath therefore not fixing
> 3.3 seems to be a wrong thing.

The vulnerability was in "xsrc/xc/lib/X11/XlcDL.c" which doesn't exist
in the XFree86 3.3.6 source tree. Your change will prevent setuid
binaries from loading locale data files from user supplied directories
which is probably a good thing but not required to fix any known

	Kind regards

Matthias Scheler