http://secunia.com/advisories/22642/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397 Kees Cook found a file descriptor leak in the Xinput module, which is optionally read from the XCOMPOSEFILE environment variable. Looks like it is fixed in git, but the fix won't be out till the 1.1 release. 1.0.1 is apparently not vulnerable.
I'm working on 1.0.3-r1 which will include the patch from upstream.
Created attachment 101141 [details, diff] CVE-2006-5397.patch Fix from upstream.
Created attachment 101143 [details] libX11-1.0.3-r1.ebuild Ebuild that includes the patch.
I probably won't be able to commit these for 2-4 hours. I'm assuming I'm clear to do so since this issue is already public?
Our xterm does not install sgid, so I don't think there is really any effect of this. From the upstream bug: "So far xterm seems to be the only problematic app (setgid), but with its normal gid no security relevant files can be accessed."
Yeah, it didn't seem like it was particularly exploitable. I do think it should go into the tree, but maybe we just don't need to rush stabilization.
Not only that, but I don't feel there's any need for a GLSA either unless you want to send one out that says "Hi, this isn't really an exploit on Gentoo but since other people are sending advisories, we will too"
Hm. On more thinking, it's conceivable that the problem could result in access to files owned by the utmp group via libutempter.
I've put 1.0.3-r1 into the tree with the above patch.
It would be useful if a security audit person could determine whether this actually affects us in any way, given that our xterm is not sgid and uses the sgid libutempter instead.
Falco, any news on this one?
(In reply to comment #11) > Falco, any news on this one? > Donnie and all are right: we're probably not affected by this issue. I suggest to close this bug ("invalid")
closing as invalid.