cvs commit: ports/x11/linux-XFree86-libs Makefile distinfo.i386
Oliver Eikemeier
eikemeier at fillmore-labs.com
Thu Mar 11 13:30:48 PST 2004
Jacques A. Vidrine wrote:
> On Sat, Mar 06, 2004 at 04:17:23PM -0500, Trevor Johnson wrote:
>
>>Dag-Erling [iso-8859-1] Sm?rgrav wrote:
>>
>>
>>>Trevor Johnson <trevor at FreeBSD.org> writes:
>>>
>>>> Log:
>>>> Update to version 4.3.0-2.90.55 due to several security bugs
>>>> (discovered by iDefense and David Dawes) in the parsing of font
>>>> files and the font.alias file which can give root privileges to
>>>> local users. [...]
>>>
>>>This is pointless as the bug in question only affects the server.
>>
>>I hadn't noticed that--when I glanced at
>><URL:ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff>, which
>>addresses these bugs, it looked like the problem was in the X libraries,
>>not the server.
>
> [...]
>
> The bugs *are* in a library (libXfont), but one could only exploit them
> for privilege escalation in the server (which has libXfont compiled
> internally).
>
> I added linux-XFree86-libs to the VuXML entry describing this
> vulnerability
> (http://www.vuxml.org/freebsd/3837f462-5d6b-11d8-80e3-0020ed76ef5a.html)
> without thinking too much. Should I remove it?
Just a reminder: This port is still listed in the FreeBSD VuXML database.
Please take the appropriate action.
Thanks
Oliver
More information about the cvs-ports
mailing list