current-users: [Security Fix] Xorg Local privilege escalation

Subject: [Security Fix] Xorg Local privilege escalation
To: None <current-users@NetBSD.org>
From: Adrian Portelli <adrianp@NetBSD.org>
List: current-users
Date: 03/28/2006 23:19:31

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On the 15th March 2006 Xorg 7.0 modular was imported into xsrc/. On the
20th March 2006 the NetBSD Security Officer team became aware of a
security issue in the version imported into xsrc.

The original advisory for this issue can be found at:

  http://lists.freedesktop.org/archives/xorg/2006-March/013992.html

The relevant CVE entry is CVE-2006-0745.

This vulnerability does not exist in the NetBSD 1.x, 2.x, or 3.x code
bases. However, NetBSD-current was found to be vulnerable to this issue.

This issue was fixed in the NetBSD CVS tree on the 23rd of March 2006.
Users currently running NetBSD-current are advised to update the
following directory:

	xsrc/xorg/xserver/xorg

This will update Xorg server to release 1.0.2 which resolves the known
security issue.	

To update from CVS:
	
	# cd xsrc
	# cvs update -d -P xorg/xserver/xorg

Thanks To
=========

Michael Lorenz for the fixes in NetBSD-current.


On behalf of security-officer@,

adrian.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEKbZpLc2rR0mnFJ8RAvNJAKD4tdSDKgp7Ff2V0VaT5D1z3KQv5ACgispS
xHuNvGKjsJ+D5D+ZZ96ZN0Y=
=LGzc
-----END PGP SIGNATURE-----