Summary: | <x11-misc/slim-slim-1.3.1_p20091114 insecure xauth secret (CVE requested) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | desktop-misc, notordoktor | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306 | ||||||||
Whiteboard: | B3 [noglsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 306961 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Interesting, FWIW..upstream is basically dead so I would assume this is at NeedPatch for now, unless someone comes from the debian bug report. Apparently this is no longer an issue as of slim 1.3.1-2: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306#56> Created attachment 220459 [details, diff]
Patch from Debian
Created attachment 220471 [details, diff]
Patch from Debian
Eh OK, I'd rather attach the real patch (instead of the patch to create real patch Debian way)...
Thanks for your comment. Maintainers, please provide a fixed ebuild. New snapshot is in the tree (bug 306961). I would like to wait a few days before stabilization for any bug reports to arise. @security team: New snapshot is not any worse than current stable. I endorse adding arches. Feel free... :) (In reply to comment #7) > @security team: New snapshot is not any worse than current stable. I endorse > adding arches. Feel free... :) > Hmm, I guess we will continue now. Keywords: slim-1.3.1-r5[0]: amd64 ppc ppc64 sparc x86 Keywords: slim-1.3.1_p20091114[0]: ~amd64 ~ppc ~ppc64 ~sparc ~x86 x86 stable ppc64 done ppc done amd64 stable sparc stable removing myself, nothing left for me to do. GLSA vote: NO Unlikely to be exploited, so my GLSA vote is NO, too. Closing noglsa. |
On Monday 18 May 2009, Nico Golde wrote: > slim insecurely generates the x authorization file: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306