From security@mandriva.com Mon Mar 20 16:09:49 2006 From: security@mandriva.com To: full-disclosure@lists.grok.org.uk Date: Mon, 20 Mar 2006 14:10:00 -0700 Reply-To: xsecurity@mandriva.com Subject: [Full-disclosure] [ MDKSA-2006:056 ] - Updated xorg-x11 packages to address local root vuln -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:056 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xorg-x11 Date : March 20, 2006 Affected: 2006.0 _______________________________________________________________________ Problem Description: Versions of Xorg 6.9.0 and greater have a bug in xf86Init.c, which allows non-root users to use the -modulepath, -logfile and -configure options. This allows loading of arbitrary modules which will execute as the root user, as well as a local DoS by overwriting system files. Updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0745 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 46ee786eaf6fbcf7bf938ebce48a7ce1 2006.0/RPMS/libxorg-x11-6.9.0-5.3.20060mdk.i586.rpm 3f06cae5a43ea06de97ab93b623c7f1e 2006.0/RPMS/libxorg-x11-devel-6.9.0-5.3.20060mdk.i586.rpm 96c329453a07eda970f6eaeb7a689156 2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.3.20060mdk.i586.rpm bcf177b1901d78020090b0197f5b43d4 2006.0/RPMS/X11R6-contrib-6.9.0-5.3.20060mdk.i586.rpm 32a16643784c1968104d12471bc7ebd1 2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.3.20060mdk.i586.rpm 7a652e4429fc77aee754a5661bdfe755 2006.0/RPMS/xorg-x11-6.9.0-5.3.20060mdk.i586.rpm 975a38dcfc7d21448e62c584d7016f2f 2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.3.20060mdk.i586.rpm f9c48a395f08686de37a0df30e48e6cc 2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.3.20060mdk.i586.rpm fbec9c1632e1ca322f1536ffcbc8446d 2006.0/RPMS/xorg-x11-doc-6.9.0-5.3.20060mdk.i586.rpm 36a55aa930a752bc2aa75b4af85d9c47 2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.3.20060mdk.i586.rpm ceeafcc3c7c41374058a16d33f46339f 2006.0/RPMS/xorg-x11-server-6.9.0-5.3.20060mdk.i586.rpm 801a6438b6dad8bb7293741deddb1b43 2006.0/RPMS/xorg-x11-xauth-6.9.0-5.3.20060mdk.i586.rpm 252fdbd50c231c9ad5f81b42c199a2a8 2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.3.20060mdk.i586.rpm 8e4e6c5f5d84bf80d70f0740ec9ea690 2006.0/RPMS/xorg-x11-xfs-6.9.0-5.3.20060mdk.i586.rpm e58bbda0563823ac115cbd88c6c987d8 2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.3.20060mdk.i586.rpm 01500c42871893583e0b63057fe25167 2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.3.20060mdk.i586.rpm ffb613cb4bce6da186cc1db5cb23544d 2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.3.20060mdk.i586.rpm 6e5852165a323a9bb414bd242df87721 2006.0/SRPMS/xorg-x11-6.9.0-5.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: c7b4f00e9a29235312f0175b9fb409ef x86_64/2006.0/RPMS/lib64xorg-x11-6.9.0-5.3.20060mdk.x86_64.rpm eec32f6ccd371dac59972bda2337f956 x86_64/2006.0/RPMS/lib64xorg-x11-devel-6.9.0-5.3.20060mdk.x86_64.rpm 7e022bbb1fffd0ea29535929b7a5b77f x86_64/2006.0/RPMS/lib64xorg-x11-static-devel-6.9.0-5.3.20060mdk.x86_64.rpm b5a9fc15100a53fd0bfc1d9650b79442 x86_64/2006.0/RPMS/X11R6-contrib-6.9.0-5.3.20060mdk.x86_64.rpm 0c6b1355f3463cc933cdda3a25ecc8da x86_64/2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.3.20060mdk.x86_64.rpm dbd2c5fab3e5e0cfe7ecad3116dc5148 x86_64/2006.0/RPMS/xorg-x11-6.9.0-5.3.20060mdk.x86_64.rpm 8b47d4d7e111764d57049bfe0de214a2 x86_64/2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.3.20060mdk.x86_64.rpm 6c7ffd2d8466546d40bbf7d34d07a33c x86_64/2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.3.20060mdk.x86_64.rpm 770a043b690b71592009b36aaa49478c x86_64/2006.0/RPMS/xorg-x11-doc-6.9.0-5.3.20060mdk.x86_64.rpm 809daf9878848084378c461ca44e3f24 x86_64/2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.3.20060mdk.x86_64.rpm c1345cff6c24d7b79148077b7175c193 x86_64/2006.0/RPMS/xorg-x11-server-6.9.0-5.3.20060mdk.x86_64.rpm affb27f1d415f544acdcc62a126ab3e6 x86_64/2006.0/RPMS/xorg-x11-xauth-6.9.0-5.3.20060mdk.x86_64.rpm f16c26fd827c175c674ec16f1e62a391 x86_64/2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.3.20060mdk.x86_64.rpm 0ba0619da42ede7ec4eeea529798010c x86_64/2006.0/RPMS/xorg-x11-xfs-6.9.0-5.3.20060mdk.x86_64.rpm c7aea15c582521540c8e6827f79d0bc4 x86_64/2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.3.20060mdk.x86_64.rpm 6a9081fe30c8c84c280c6a1e63c2c913 x86_64/2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.3.20060mdk.x86_64.rpm 7b1e6dd1fa20d2ce0cd410a7562edbaa x86_64/2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.3.20060mdk.x86_64.rpm 6e5852165a323a9bb414bd242df87721 x86_64/2006.0/SRPMS/xorg-x11-6.9.0-5.3.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEHwzTmqjQ0CJFipgRAixMAKDW9bewEG0zCQSI7zN0NdseCcz7ZACfaorS enUQ01nWpdBfnLZQ0hXXtng= =m0Zf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/