expo (was: Re: [CVE-2006-0745] X.Org Security Advisory: privilege escalation and DoS in X11R6.9, X11R7.0)

Daniel Stone daniel at freedesktop.org
Sat Apr 1 14:07:53 PST 2006 

On Mon, Mar 20, 2006 at 04:00:58PM +0200, Daniel Stone wrote:
> X.Org Security Advisory, March 20th 2006
> Local privilege escalation in X.Org server 1.0.0 and later; X11R6.9.0
> and X11R7.0
> CVE-ID: CVE-2006-0745
> 
> [...]
> 
> Fix:
> 
> Apply the patch below to xorg-server-1.0.0 and 1.0.1 from the modular
> X11R7 tree:
> 80db6a3ab76334061ec6102e74ef5607          xorg-server-1.0.1-geteuid.diff
> 44b44fa3efc63697eefadc7c2a1bfa50a35eec91  xorg-server-1.0.1-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R7.0/patches/
> 
> Alternately, xorg-server 1.0.2 has been released with this and other
> code fixes:
> 5cd3316f07ed32a05cbd69e73a71bc74          xorg-server-1.0.2.tar.bz2
> b2257e984c5111093ca80f1f63a7a9befa20b6c0  xorg-server-1.0.2.tar.bz2
> f44f0f07136791ed7a4028bd0dd5eae3          xorg-server-1.0.2.tar.gz
> 3f5c98c31fe3ee51d63bb1ee9467b8c3fcaff5f3  xorg-server-1.0.2.tar.gz
> http://xorg.freedesktop.org/releases/individual/xserver/
> 
> Apply the patch below to the X.Org server as distributed with X11R6.9:
> de85e59b8906f76a52ec9162ec6c0b63          x11r6.9.0-geteuid.diff
> f9b73b7c1bd7d6d6db6d23741d5d1125eea5f860  x11r6.9.0-geteuid.diff
> http://xorg.freedesktop.org/releases/X11R6.9.0/patches/

These patches are still not available from ftp.x.org.  (As, I note, are
the individual packages released since X11R7.0.)

Wasn't the entire point of having expo, to have a machine we could
reliably use for things like this?  As far as I can tell, the only
difference is that www.x.org is now up to date, being the same as
xorg.freedesktop.org once was.  However, ftp.x.org is still
redistributing code with critical vulnerabilities, so once again, we
have to point people to xorg.freedesktop.org and urge them to avoid
ftp.x.org.

What is expo actually doing?  Why do developers still not have access to
it?  Why is it not even mirroring the master site (xorg.fd.o)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg/attachments/20060402/ed3658c0/attachment.pgp>

More information about the xorg mailing list