Subject: CVS commit: [pkgsrc-2012Q3] pkgsrc/x11/modular-xorg-server
From: Matthias Scheler
Date: 2012-12-18 18:43:02
Message id: 20121218174302.CDBB7175DD@cvs.netbsd.org
Log Message:
Pullup ticket #3993 - requested by is
x11/modular-xorg-server: security patch

Revisions pulled up:
- x11/modular-xorg-server/Makefile                              1.73 via patch
- x11/modular-xorg-server/distinfo                              1.47
- x11/modular-xorg-server/patches/patch-os_utils.c              1.1

---
   Module Name:	pkgsrc
   Committed By:	is
   Date:		Sat Dec 15 09:26:07 UTC 2012

   Modified Files:
   	pkgsrc/x11/modular-xorg-server: Makefile distinfo
   Added Files:
   	pkgsrc/x11/modular-xorg-server/patches: patch-os_utils.c

   Log Message:
   Fix CVE-2011-4028: File disclosure vulnerability.
   use O_NOFOLLOW to open the existing lock file, so symbolic links
   aren't followed, thus avoid revealing if it point to an existing
   file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
   Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

   Fix CVE-2011-4029: File permission change vulnerability.
   Use fchmod() to change permissions of the lock file instead of
   chmod(), thus avoid the race that can be exploited to set a symbolic
   link to any file or directory in the system. Signed-off-by: Matthieu
   Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith
   <alan.coopersmith@oracle.com>
Files:
RevisionActionfile
1.69.2.1modifypkgsrc/x11/modular-xorg-server/Makefile
1.46.4.1modifypkgsrc/x11/modular-xorg-server/distinfo
1.1.2.2addpkgsrc/x11/modular-xorg-server/patches/patch-os_utils.c