[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security concerns (Was Re: XQuartz quextion)

Subject: Re: Security concerns (Was Re: XQuartz quextion)
From: Robert T Wyatt <email@hidden>
Date: Sun, 25 Nov 2007 08:37:08 -0600
Delivered-to: email@hidden
Delivered-to: email@hidden
Organization: The University of Texas at Austin
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071030 SeaMonkey/1.1.6

Jeremy Huddleston wrote:

Now if only someone could make the case that Leopard's Xquartz poses a security problem... The fix would appear on softwareupdate within two days. Indeed, couldn't those regular
Well... see my posting about 1.3a1 and its fixes:
CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1003
Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.
so... yeah... there you go...
Get 1.3a1 which fixes this here: http://people.freedesktop.org/~jeremyhu/x11-apple/releases/1.3a1/

I haven't updated the wiki because I don't want it to appear as though Ben and I are forking off eachother by having different distribution sites. We're working on a way to have a single location for releases. In the mean time, just grab the files from my space there.

--Jeremy


Jeremy,
Is 1.3a1 the one that is picked up by your script?
Thanks,
Robert
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/x11-users/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Security concerns (Was Re: XQuartz quextion)
  - From: Jeremy Huddleston <email@hidden>

References:
	>XQuartz quextion (From: dp <email@hidden>)
	>Re: XQuartz quextion (From: William Davis <email@hidden>)
	>Re: XQuartz quextion (From: Martin Costabel <email@hidden>)
	>Security concerns (Was Re: XQuartz quextion) (From: Jeremy Huddleston <email@hidden>)

Prev by Date: Re: Security concerns (Was Re: XQuartz quextion)
Next by Date: Re: A proposal for the keybindings issue
Previous by thread: Re: Development Process (Was Re: Security concerns)
Next by thread: Re: Security concerns (Was Re: XQuartz quextion)
Index(es):
- Date
- Thread

Home