xorg-server: Changes to 'debian-unstable'

Julien Cristau Thu, 14 May 2009 12:20:04 -0700

 debian/changelog      |    8 ++++++++
 debian/local/xvfb-run |   13 +++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)


New commits:
commit ab5b900197966c25becdf9ad62861643749e01be
Author: Julien Cristau <jcris...@debian.org>
Date:   Thu May 14 21:14:16 2009 +0200

    xvfb-run: use mktemp to create the temporary directory.

diff --git a/debian/changelog b/debian/changelog
index 60b1dd8..7c2b114 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ xorg-server (2:1.6.1.901-3) UNRELEASED; urgency=low
 
   * xvfb-run: don't pass the magic cookie to xauth on the command line
     (CVE-2009-1573).  Thanks, Loïc Minier!
+  * xvfb-run: use mktemp to create the temporary directory.
 
  -- Julien Cristau <jcris...@debian.org>  Thu, 14 May 2009 21:05:26 +0200
 
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index b11130a..4c2f4e0 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -147,12 +147,8 @@ trap clean_up EXIT
 # If the user did not specify an X authorization file to use, set up a 
temporary
 # directory to house one.
 if [ -z "$AUTHFILE" ]; then
-    XVFB_RUN_TMPDIR="${TMPDIR:-/tmp}/$PROGNAME.$$"
-    if ! mkdir -p -m 700 "$XVFB_RUN_TMPDIR"; then
-        error "temporary directory $XVFB_RUN_TMPDIR already exists"
-        exit 4
-    fi
-    AUTHFILE=$(tempfile -n "$XVFB_RUN_TMPDIR/Xauthority")
+    XVFB_RUN_TMPDIR="$(mktemp -d -t $PROGNAME.XXXXXX)"
+    AUTHFILE="$XVFB_RUN_TMPDIR/Xauthority"
 fi
 
 # Start Xvfb.

commit ecf09e571198ee16256a5efd1c23fd286a4f2249
Author: Julien Cristau <jcris...@debian.org>
Date:   Thu May 14 21:08:21 2009 +0200

    xvfb-run: don't pass the magic cookie to xauth on the command line
    
    Use xauth source to pass the cookie via stdin.
    This addresses CVE-2009-1573.  Thanks, Loïc Minier!

diff --git a/debian/changelog b/debian/changelog
index 8a2d6f3..60b1dd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.6.1.901-3) UNRELEASED; urgency=low
+
+  * xvfb-run: don't pass the magic cookie to xauth on the command line
+    (CVE-2009-1573).  Thanks, Loïc Minier!
+
+ -- Julien Cristau <jcris...@debian.org>  Thu, 14 May 2009 21:05:26 +0200
+
 xorg-server (2:1.6.1.901-2) unstable; urgency=low
 
   * Merge from upstream server-1.6-branch (commit a9f85dce).
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
 
 # Start Xvfb.
 MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
-  >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
 XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
   2>&1 &
 XVFBPID=$!


-- 
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

xorg-server: Changes to 'debian-unstable'

Reply via email to