Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) by www.NetBSD.org (Postfix) with ESMTP id 3C10163E529 for ; Sat, 15 Dec 2012 09:26:11 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id CCEE614A23F; Sat, 15 Dec 2012 09:26:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D9EEC14A23B for ; Sat, 15 Dec 2012 09:26:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id W6X67INPCICQ for ; Sat, 15 Dec 2012 09:26:08 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 56A7114A233 for ; Sat, 15 Dec 2012 09:26:08 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id A9CCF175DD; Sat, 15 Dec 2012 09:26:07 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Date: Sat, 15 Dec 2012 09:26:07 +0000 From: "Ignatios Souvatzis" Subject: CVS commit: pkgsrc/x11/modular-xorg-server To: pkgsrc-changes@NetBSD.org Reply-To: is@netbsd.org X-Mailer: log_accum Message-Id: <20121215092607.A9CCF175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: is Date: Sat Dec 15 09:26:07 UTC 2012 Modified Files: pkgsrc/x11/modular-xorg-server: Makefile distinfo Added Files: pkgsrc/x11/modular-xorg-server/patches: patch-os_utils.c Log Message: Fix CVE-2011-4028: File disclosure vulnerability. use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb Reviewed-by: Alan Coopersmith Fix CVE-2011-4029: File permission change vulnerability. Use fchmod() to change permissions of the lock file instead of chmod(), thus avoid the race that can be exploited to set a symbolic link to any file or directory in the system. Signed-off-by: Matthieu Herrb Reviewed-by: Alan Coopersmith To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.73 pkgsrc/x11/modular-xorg-server/Makefile cvs rdiff -u -r1.46 -r1.47 pkgsrc/x11/modular-xorg-server/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/x11/modular-xorg-server/patches/patch-os_utils.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.