Subject: Re: CVS commit: xsrc/xc
To: None <firstname.lastname@example.org>
From: Matthias Scheler <email@example.com>
Date: 09/07/2002 13:07:00
In article <20020907104212.52CFC4B22@coconut.itojun.org>,
> where could i find that statement?
It was in my commit message:
Fix security problem in the i18n module code for Xlib that was integrated
in XFree86 4.2.0 causing a vulnerability in setuid clients. For XFree86
only xterm is concerned. XFree86 versions before 4.2.0 are not vulnerable.
The patches were provided by Matthieu Herrb of the XFree86 project.
I don't know one yet. The CERT number is VU#901307, you might find
that information in the near future there.
> as far as i checked they use the same codepath therefore not fixing
> 3.3 seems to be a wrong thing.
The vulnerability was in "xsrc/xc/lib/X11/XlcDL.c" which doesn't exist
in the XFree86 3.3.6 source tree. Your change will prevent setuid
binaries from loading locale data files from user supplied directories
which is probably a good thing but not required to fix any known
Matthias Scheler http://scheler.de/~matthias/