correction to Bugtraq ID 5735

[Branden Robinson]

Hello,

I am writing in my capacity as the Debian XFree86 package maintainer for
Debian 3.0 ("woody") to correct a factual error I encountered on the
following web page:

<URL: http://www.securityfocus.com/bid/5735/info/ >

This entry lists the following releases of Debian GNU/Linux as vulnerable:

XFree86 X11R6 4.1.0
   + Debian Linux 3.0
   + Debian Linux 3.0 alpha
   + Debian Linux 3.0 arm
   + Debian Linux 3.0 hppa
   + Debian Linux 3.0 ia-32
   + Debian Linux 3.0 ia-64
   + Debian Linux 3.0 m68k
   + Debian Linux 3.0 mips
   + Debian Linux 3.0 mipsel
   + Debian Linux 3.0 ppc
   + Debian Linux 3.0 s/390
   + Debian Linux 3.0 sparc

Stock XFree86 4.1.0, and XFree86 4.1.0 as patched and shipped by Debian in
our 3.0 ("woody") release, was not vulnerable to this flaw.

This is because the flaw was in the Xlib internationalization module
loader.  This module loader was only added to XFree86 very late in the
XFree86 4.2.0 development cycle[1], and was *not* present in XFree86 4.1.0.
Furthermore, Debian did not backport this functionality to our official
packages of XFree86 4.1.0.

It is possible that the other distributions you have listed as shipping
XFree86 4.1.0 are not vulnerable either:

   + RedHat Advanced Workstation for the Itanium Processor 2.1
   + RedHat Enterprise Linux AS 2.1
   + RedHat Enterprise Linux ES 2.1
   + RedHat Enterprise Linux WS 2.1
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.2 i386
   + Turbolinux Turbolinux Server 7.0
   + Turbolinux Turbolinux Workstation 7.0

...however, I am not familiar with those releases, and it is possible that
Red Hat and/or Turbolinux backported the Xlib module loader to their
versions of XFree86 4.1.0.

I have two further, more cosmetic, corrections to offer:

* The name of Debian's Linux-kernel-based OS release is "Debian GNU/Linux",
  not "Debian Linux".  When our versions of "GNU/Hurd", "GNU/FreeBSD", and
  other OSes are available, we'll let you know.  :)

* The name of The XFree86 Project, Inc.'s releases are simply "XFree86".
  It is X.Org that produces "X11R6".  This is an important distinction
  given recent developments in the free software community.

Thanks for your attention to this matter.

[1] Here's the relevant CVS commit message, which unfortunately is not
    publicly archived on the World Wide Web, as far as I can tell:

    From: David Dawes <[EMAIL PROTECTED]>
    To: cvs-commit@xfree86.org
    Subject: CVS Update: xc (branch: trunk)
    Date: Thu, 15 Nov 2001 16:52:35 -0800 (PST)
    Message-Id: <[EMAIL PROTECTED]>
    List-Id: CVS commit messages <cvs-commit.XFree86.Org>

    CVSROOT:        /home/x-cvs
    Module name:    xc
    Changes by:     [EMAIL PROTECTED]       01/11/15 16:52:35

    Log message:
       479. Move much of the I18N code in Xlib into separately loadable
            modules (#4965, 5043, Ernie Coskrey, from X11R6.6).

    Modified files:
          xc/config/cf/:
            X11.tmpl cygwin.tmpl
          xc/lib/X11/:
            Imakefile XlcPubI.h Xlcint.h imInt.c lcFile.c lcGeneric.c
            lcInit.c lcPublic.c lcUTF8.c
          xc/nls/:
            Imakefile
          xc/programs/Xserver/hw/xfree86/:
            CHANGELOG
    Added files:
          xc/lib/X11/xlibi18n/:
            Imakefile Xi18nLib.conf
          xc/lib/X11/xlibi18n/im/:
            Imakefile
          xc/lib/X11/xlibi18n/im/ximcp/:
            Imakefile Ximcp.mapfile
          xc/lib/X11/xlibi18n/lc/:
            Imakefile
          xc/lib/X11/xlibi18n/lc/Utf8/:
            Imakefile
          xc/lib/X11/xlibi18n/lc/def/:
            Imakefile Xlc.mapfile
          xc/lib/X11/xlibi18n/lc/gen/:
            Imakefile Xlc.mapfile
          xc/lib/X11/xlibi18n/lc/xlocale/:
            Imakefile
          xc/lib/X11/xlibi18n/om/:
            Imakefile
          xc/lib/X11/xlibi18n/om/generic/:
            Imakefile Xom.mapfile
          xc/nls/XI18N_OBJS/:
            C Imakefile armscii-8 en_US.UTF-8 georgian-academy
            georgian-ps ibm-cp1133 iscii-dev isiri-3342 iso8859-1
            iso8859-10 iso8859-13 iso8859-14 iso8859-15 iso8859-2
            iso8859-3 iso8859-4 iso8859-5 iso8859-6 iso8859-7
            iso8859-8 iso8859-9 iso8859-9e ja ja.JIS ja.S90 ja.SJIS
            ja.U90 ko koi8-c koi8-r koi8-u microsoft-cp1251
            microsoft-cp1255 microsoft-cp1256 mulelao-1 nokhchi-1
            tatar-cyr th_TH tscii-0 vi_VN.tcvn vi_VN.viscii zh
            zh_CN.gbk zh_HK.big5hkscs zh_TW zh_TW.big5
      Revision      Changes    Path
      1.134         +4 -1      xc/config/cf/X11.tmpl
      3.9           +6 -2      xc/config/cf/cygwin.tmpl
      3.41          +89 -40    xc/lib/X11/Imakefile
      3.9           +9 -2      xc/lib/X11/XlcPubI.h
      3.11          +11 -2     xc/lib/X11/Xlcint.h
      3.10          +2 -2      xc/lib/X11/imInt.c
      3.24          +59 -2     xc/lib/X11/lcFile.c
      3.16          +23 -2     xc/lib/X11/lcGeneric.c
      3.9           +58 -2     xc/lib/X11/lcInit.c
      1.11          +10 -2     xc/lib/X11/lcPublic.c
      1.14          +10 -23    xc/lib/X11/lcUTF8.c
      1.9           +6 -2      xc/nls/Imakefile
      3.2043        +11 -1     xc/programs/Xserver/hw/xfree86/CHANGELOG

As far as I can tell, XFree86 4.1.0 was released on or about 18 May 2001.
The above commit came about 6 months later.

-- 
G. Branden Robinson                |        People with power understand
Debian GNU/Linux                   |        exactly one thing: violence.
[EMAIL PROTECTED]                 |        -- Noam Chomsky
http://people.debian.org/~branden/ |

signature.asc
Description: Digital signature