Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:11.3 checked in at Thu Dec 1 12:11:02 CET 2011. -------- --- old-versions/11.3/UPDATES/all/xorg-x11-server/xorg-x11-server.changes 2011-05-30 17:29:22.000000000 +0200 +++ 11.3/xorg-x11-server/xorg-x11-server.changes 2011-11-30 15:46:23.000000000 +0100 @@ -1,0 +2,13 @@ +Wed Nov 30 14:37:17 UTC 2011 - sndirsch@suse.com + +- U_Fix-CVE-2011-4028-File-disclosure-vulnerability.patch + * use O_NOFOLLOW to open the existing lock file, so symbolic + links aren't followed, thus avoid revealing if it point to + an existing file. (bnc #722944) +- U_Fix-CVE-2011-4029-File-permission-change-vulnerabili.patch + * Use fchmod() to change permissions of the lock file instead + of chmod(), thus avoid the race that can be exploited to set + a symbolic link to any file or directory in the system. + (bnc #722944) + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- U_Fix-CVE-2011-4028-File-disclosure-vulnerability.patch U_Fix-CVE-2011-4029-File-permission-change-vulnerabili.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.G9Tz16/_old 2011-12-01 12:10:45.000000000 +0100 +++ /var/tmp/diff_new_pack.G9Tz16/_new 2011-12-01 12:10:45.000000000 +0100 @@ -32,7 +32,7 @@ %endif Url: http://xorg.freedesktop.org/ Version: 7.5_%{dirsuffix} -Release: 10.<RELEASE13> +Release: 10.<RELEASE15> License: GPLv2+ ; MIT License (or similar) BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -119,6 +119,8 @@ Patch214: CVE-2010-2240-address_space_limit.patch Patch215: CVE-2010-2240-tree_depth_limit.patch Patch216: xorg-x11-server-gl-apps-crash.patch +Patch217: U_Fix-CVE-2011-4028-File-disclosure-vulnerability.patch +Patch218: U_Fix-CVE-2011-4029-File-permission-change-vulnerabili.patch %if %moblin Patch300: moblin-use_preferred_mode_for_all_outputs.diff %endif @@ -248,6 +250,8 @@ %patch214 -p1 %patch215 -p1 %patch216 -p1 +%patch217 -p1 +%patch218 -p1 %if %moblin %patch300 -p1 %endif ++++++ U_Fix-CVE-2011-4028-File-disclosure-vulnerability.patch ++++++

From 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb <matthieu.herrb@laas.fr> Date: Mon, 17 Oct 2011 22:26:12 +0200 Subject: [PATCH] Fix CVE-2011-4028: File disclosure vulnerability.

use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- os/utils.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/os/utils.c b/os/utils.c index e8ecb71..fe49254 100644 --- a/os/utils.c +++ b/os/utils.c @@ -318,7 +318,7 @@ LockServer(void) /* * Read the pid from the existing file */ - lfd = open(LockFile, O_RDONLY); + lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); if (lfd < 0) { unlink(tmp); FatalError("Can't read lock file %s\n", LockFile); -- 1.7.7 ++++++ U_Fix-CVE-2011-4029-File-permission-change-vulnerabili.patch ++++++

From b67581cf825940fdf52bf2e0af4330e695d724a4 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb <matthieu.herrb@laas.fr> Date: Mon, 17 Oct 2011 22:27:35 +0200 Subject: [PATCH] Fix CVE-2011-4029: File permission change vulnerability.

Use fchmod() to change permissions of the lock file instead of chmod(), thus avoid the race that can be exploited to set a symbolic link to any file or directory in the system. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- os/utils.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/os/utils.c b/os/utils.c index fe49254..07cf4c2 100644 --- a/os/utils.c +++ b/os/utils.c @@ -297,7 +297,7 @@ LockServer(void) FatalError("Could not create lock file in %s\n", tmp); (void) sprintf(pid_str, "%10ld\n", (long)getpid()); (void) write(lfd, pid_str, 11); - (void) chmod(tmp, 0444); + (void) fchmod(lfd, 0444); (void) close(lfd); /* -- 1.7.7 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org