Summary: | <x11-apps/xinit-1.2.0-r4: xserverrc starts Xserver without -auth | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Klaus Kusche <klaus.kusche> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | battousai, dberkholz, leio, lu_zero, remi, x11 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Klaus Kusche
2010-01-10 09:30:02 UTC
x11: please advice. Restricting bug as this might be an unknown bug. Craig- You must CC individual people, not the alias. Sigh... startx... again. Do you know if other distros (Debian for example) have similar issues and if they scripts we could "borrow" ? In any case, startx is not really the "recommended" way to start Xorg these days... Not really worth the fuss IMHO, but I'll gladly apply patches. Cheers I don't know about other distributions, I'm Gentoo only. But for me, simply changing /etc/X11/xinit/xserverrc from "exec /usr/bin/X -nolisten tcp" to "exec /usr/bin/X -nolisten tcp $*" worked. Perhaps someone of the X masters can comment on it? (In reply to comment #4) > I don't know about other distributions, I'm Gentoo only. > > But for me, simply changing /etc/X11/xinit/xserverrc from > "exec /usr/bin/X -nolisten tcp" to > "exec /usr/bin/X -nolisten tcp $*" worked. I know that's one possible fix, I was just curious if/how other distros handled startx. Guess I'll have to dig myself if I want to learn more. > Perhaps someone of the X masters can comment on it? That'd be me... In any case, being still on devaway, if anyone wants to commit a patch, feel free to do so. Just keep this bug open so we backport the patch to the x11 overlay as well. Thanks It was commited a while ago, current /etc/X11/xinit/xserverrc: #!/bin/sh exec /usr/bin/X -nolisten tcp "$@" Indeed, this bug is fixed as far as X11 is concerned. @security, anything else to be done on your part? Thanks Ping, Opened for ~1 year, and fixed. So what is left? Looks good to me, nothing left here. Thank you everyone. It looks like this was fixed in Bug 343911, without a GLSA. I have filed a GLSA request. This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |