Re: Security concerns (Was Re: XQuartz quextion)
Re: Security concerns (Was Re: XQuartz quextion)
- Subject: Re: Security concerns (Was Re: XQuartz quextion)
- From: "Jordan K. Hubbard" <email@hidden>
- Date: Sun, 25 Nov 2007 11:23:56 -0800
*sigh*
As anyone who's been following this list knows, and I encourage you to
read the archives if you're new here, "Apple" has been listening all
along. I put that in quotes since, of course, there is no single "Mr
Apple" that makes every decision and can be conveniently appealed to
in situations like this. There is a decision matrix involving a lot
of people and the set of people who get to decide what goes into
software updates and when is a different set of people than the
engineers who maintain X11 (and many other components in Mac OS X).
Kevin, Ben's manager, has already stated publicly in this list (and
been quoted in the FAQ, AFAIK) that he and Ben are working to get
these changes into an update ASAP. As Kevin's manager, I am
supporting these efforts. Does that mean we can promise any of you
that you'll see a specific piece of technology on a specific date?
No, of course not, since that is not our promise to make.
Apple is a large company and it's tempting for customers to over-
simplify the process that goes on internally where such decisions are
concerned. Put too few components in an update and people complain
that the right bugs are not being fixed quickly enough. Put too many
in and people complain about the impossibility of downloading that
200MB update over their Grandma's 56K modem connection. This
continuing set of trade-offs, coupled with the fact that line
engineers are notoriously biased when it comes to assessing urgency
("my component is the most important! No! Mine is!"), means that
there has to be a process here and that process is currently being
followed. In the meantime, Ben is giving you early access to his
work, which many folks on this list will line up for the opportunity
to tell you how great and frankly exceptional that is.
A little patience would be appreciated. Thanks.
- Jordan
On Nov 25, 2007, at 2:30 AM, Martin Costabel wrote:
Jeremy Huddleston wrote:
[]
Well... see my posting about 1.3a1 and its fixes:
CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory
Corruption
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1003
Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList
function in the XC-MISC extension in the X.Org X11 server (xserver)
7.1-1.1.0, and other versions before 20070403, allows remote
authenticated users to execute arbitrary code via a large
expression, which results in memory corruption.
Wonderful!
Mr. Apple, are you listening?
--
Martin
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden