Debian Security : újabb Xorg frissítés

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1466-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 19, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xorg-server, libxfont, xfree86
Vulnerability : several
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006

The X.org fix for CVE-2007-6429 introduced a regression in the MIT-SHM
extension, which prevented the start of a few applications. This update
fixes this problem and also references the patch for CVE-2008-0006,
which was included in the previous update, but not mentioned in the
advisory text.

Several local vulnerabilities have been discovered in the X.Org X
server. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2007-5760

"regenrecht" discovered that missing input sanitising within
the XFree86-Misc extension may lead to local privilege escalation.

CVE-2007-5958

It was discovered that error messages of security policy file
handling may lead to a minor information leak disclosing the
existance of files otherwise unaccessible to the user.

CVE-2007-6427

"regenrecht" discovered that missing input sanitising within
the XInput-Misc extension may lead to local privilege escalation.

CVE-2007-6428

"regenrecht" discovered that missing input sanitising within
the TOG-CUP extension may lead to disclosure of memory contents.

CVE-2007-6429

"regenrecht" discovered that integer overflows in the EVI
and MIT-SHM extensions may lead to local privilege escalation.

CVE-2008-0006

It was discovered that insufficient validation of PCF fonts could lead
to local privilege escalation.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.4.1~git20080118-1 of xorg-server and version 1:1.3.1-2
of libxfont.

For the stable distribution (etch), this problem has been fixed in
version 1.1.1-21etch3 or xorg-server and 1.2.2-2.etch1 of libxfont.

For the oldstable distribution (etch), this problem has been fixed in
version 4.3.0.dfsg.1-14sarge6 of xfree86.

We recommend that you upgrade your libxfont abd xorg-server packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

...

http://lists.debian.org/debian-security-announce/debian-security-announ…

( Oscon | 2008. 02. 17., v – 22:47 )

KDE -t is frissítették...

apró érdekesség, hogy az eddig sz'tem kvazi általánosan használt képernyőlockolás (

kdesktop_lock --forcelock

) -t gyak. deprecated é változtatták. ua. automatikusan dcop visszatérési értéket próbál adni, ami ha nem dcopon hívjuk meg akkor ugye nem fog összejönni.

És persze meg is jellennek a jó kis DCOP -- QT error xsession üzenetek.

Biztos csak én akadok fent rajta, és minden manualban bent van, vagy totál magától értetődő, meg izé, hogy ehelyett inkább a 

dcop kdesktop KScreensaverIface lock

parancsot kell továbbiakban használni.

---------

Nem a zsömle kicsi, a pofátok nagy...

de új rev is kijött és libc-t is frissítettek ..

debian gnu/linux 4.0r3

ha erre gondolsz, akkor igen ... eddig nem is figyeltem, mivel nem így lockoltam a desktopot ... 


oliver@pancs:~$ kdesktop
kdesktop       kdesktop_lock
oliver@pancs:~$ kdesktop_lock
X Error: BadAccess (attempt to access private resource denied) 10
  Major opcode:  2
  Minor opcode:  0
  Resource id:  0x60000c
oliver@pancs:~$ kdesktop_lock  --forcelock
X Error: BadAccess (attempt to access private resource denied) 10
  Major opcode:  2
  Minor opcode:  0
  Resource id:  0x60000c
WARNING: DCOPReply<>: cast to 'QStringList' error
WARNING: DCOPReply<>: cast to 'QString' error

linux v2.6.22.15 + madwifi v0.9.3.3-mal itt
debian gnu/linux @ linux-2.6.22.18-opt2