Debian Bug report logs -
#398460
CVE-2006-5397: libX11 XCOMPOSEFILE File Descriptor Leak
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#398460
; Package libx11-6
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libx11-6
Version: 2:1.0.3-2
Severity: important
Tags: security
A vulnerability has been found in libx11:
The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2
and 1.0.3 opens a file for reading twice using the same file
descriptor, which causes a file descriptor leak that allows local
users to read files specified by the XCOMPOSEFILE environment variable
via the duplicate file descriptor.
See
https://bugs.freedesktop.org/show_bug.cgi?id=8699
Please mention the CVE id in the changelog.
Reply sent to David Nusinow <dnusinow@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 398460-close@bugs.debian.org (full text, mbox, reply):
Source: libx11
Source-Version: 2:1.0.3-3
We believe that the bug you reported is fixed in the latest version of
libx11, which is due to be installed in the Debian FTP archive:
libx11-6-dbg_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-6-dbg_1.0.3-3_i386.deb
libx11-6_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-6_1.0.3-3_i386.deb
libx11-data_1.0.3-3_all.deb
to pool/main/libx/libx11/libx11-data_1.0.3-3_all.deb
libx11-dev_1.0.3-3_i386.deb
to pool/main/libx/libx11/libx11-dev_1.0.3-3_i386.deb
libx11_1.0.3-3.diff.gz
to pool/main/libx/libx11/libx11_1.0.3-3.diff.gz
libx11_1.0.3-3.dsc
to pool/main/libx/libx11/libx11_1.0.3-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 398460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Nusinow <dnusinow@debian.org> (supplier of updated libx11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 14 Nov 2006 19:56:01 -0500
Source: libx11
Binary: libx11-6-dbg libx11-data libx11-6 libx11-dev
Architecture: source i386 all
Version: 2:1.0.3-3
Distribution: unstable
Urgency: high
Maintainer: David Nusinow <dnusinow@debian.org>
Changed-By: David Nusinow <dnusinow@debian.org>
Description:
libx11-6 - X11 client-side library
libx11-6-dbg - X11 client-side library (debug package)
libx11-data - X11 client-side library
libx11-dev - X11 client-side library (development headers)
Closes: 398460
Changes:
libx11 (2:1.0.3-3) unstable; urgency=high
.
[ Julien Cristau ]
* Urgency high for security bugfix (CVE-2006-5397).
* Add patch 020_CVE-2006-5397 to fix double fopen() of compose file
(closes: #398460). Thanks to Stefan Fritsch for the report.
Files:
4c4b7ddb7d028e6ba5e44bd7c5b6de7e 979 x11 optional libx11_1.0.3-3.dsc
a25715bb1345b5168a8b8ec519ec982a 206622 x11 optional libx11_1.0.3-3.diff.gz
5dabdfbae3cd6deb3701528a7539f093 154346 x11 optional libx11-data_1.0.3-3_all.deb
fbe06b5e75d2f817c6958c415381303f 567360 x11 optional libx11-6_1.0.3-3_i386.deb
599bf6758ddbad2fb0040ff05c7ab369 2450656 x11 extra libx11-6-dbg_1.0.3-3_i386.deb
61b3edf190aefe3bbf6bb5ebbab2110d 1268248 x11 optional libx11-dev_1.0.3-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFWm4TyLfpNdY0ad8RAqZbAJ4xE8B8aEhRqSaoNWpAcMCZ/wRwtwCggaLP
juJMubQbmoWseFNkw5Ic+AQ=
=0SrW
-----END PGP SIGNATURE-----
Forcibly Merged 398460 401956.
Request was from Julien Cristau <julien.cristau@ens-lyon.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as not found in version 2:1.0.3-4.
Request was from Julien Cristau <julien.cristau@ens-lyon.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 Jun 2007 00:05:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.