xorg: Changes to 'debian-unstable'
debian/changelog |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit 75d568a94a7ccfb37a51711c9f1ac42f584ec140 Author: Julien Cristau Date: Sat Mar 3 18:55:44 2012 +0100 Upload to unstable diff --git a/debian/changelog b/debian/changelog index 2be2fa8..5f8f3d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xorg (1:7.6+12) UNRELEASED; urgency=high +xorg (1:7.6+12) unstable; urgency=high * Fix unsafe manipulation of /tmp/.X11-unix and /tmp/.ICE-unix in the x11-common init script. A malicious user could trick us into changing @@ -7,7 +7,7 @@ xorg (1:7.6+12) UNRELEASED; urgency=high "vladz", Tim Morgan and Bernhard R. Link for their help getting this right (any remaining bugs are my own). - -- Julien Cristau Fri, 02 Mar 2012 21:38:07 +0100 + -- Julien Cristau Sat, 03 Mar 2012 18:54:30 +0100 xorg (1:7.6+11) unstable; urgency=low -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1s3tec-0001rr...@vasks.debian.org
xorg: Changes to 'refs/tags/xorg-1_7.6+12'
Tag 'xorg-1_7.6+12' created by Julien Cristau at 2012-03-03 17:58 + Tagging upload of xorg 1:7.6+12 to unstable. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAABCAAGBQJPUlvEAAoJEDEBgAUJBeQMRewP+gIestDRcyEjMJul1etun9y2 7teJG/p1A1Xg15XcrDWoXEXluKtaEsDH955a7r/E0pqcjo5czBTK0lONgrl9RtTm Ux+CTBDrtBgciOK2jMiXmD3tlYHQX640MvNKjBcnGA0Ctf5AD/tZEwcmF3QHIhFV wPMacml8UQyi1kYxGNefMUROacrZ5iJ06Qmbod06rD09+xyEF2hHNjoPV22N1KO2 JX4eZjBh1orNe/6rCu7lHqZKLGIK0LABl32db3aLTBzmpvbd1hbMYOm1nVB3tCdb 7otX+zzeBD+xKsZP7QYOdG8iq5zFTrxn1uYtwtSyo8Tqttg6p5vGVRwYAlXEjdoE +qHszS2XUrvZvF3RviuB6nbhMn5z8EVNkisIChB64BPJEsvaKfMB0brdfNFHWMSf gRrpZElEfrIMdH0ofnkkixEQdCBkh/4Ibq7lKFCVkSTQVe5R3BBwVTDmEmKoJMY7 BuTrKEF3xUwsz+EAnpy4vJ6iFYVUd3K1IG6X6E5Bf3tT0GeVudqxOhNvItReNR/g mUILhVnJhEN3Odhv5Zjt9eAOjt/qVlevSbCoTLi9nzfGfOGvjiKGGihe7DVtiwr5 zIlH+/PW1RCMG7ECYsW4WA3tMLSyO1QcIZ0SFOX+pYTvzcxXIDnFQmXlWJ/MuB18 mnub90axNgNFRI7F53SX =Gr3I -END PGP SIGNATURE- Changes since xorg-1_7.6+11: Julien Cristau (2): Be more careful before running chown/chmod in x11-common.init Upload to unstable --- debian/changelog | 11 + debian/x11-common.init | 90 - 2 files changed, 71 insertions(+), 30 deletions(-) --- -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1s3ted-0001sl...@vasks.debian.org
Processing of xorg_7.6+12_amd64.changes
xorg_7.6+12_amd64.changes uploaded successfully to localhost along with the files: xorg_7.6+12.dsc xorg_7.6+12.tar.gz x11-common_7.6+12_all.deb xorg-dev_7.6+12_all.deb xbase-clients_7.6+12_all.deb xutils_7.6+12_all.deb xserver-xorg_7.6+12_amd64.deb xserver-xorg-video-all_7.6+12_amd64.deb xserver-xorg-input-all_7.6+12_amd64.deb xorg_7.6+12_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1s3tjb-0007sy...@franck.debian.org
Bug#661627: marked as done (init script x11-common creates directories in insecure manners)
Your message dated Sat, 03 Mar 2012 18:19:21 + with message-id and subject line Bug#661627: fixed in xorg 1:7.6+12 has caused the Debian Bug report #661627, regarding init script x11-common creates directories in insecure manners to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 661627: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661627 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: x11-common Version: 1:7.5+8 Tags: security The init script "x11-common" creates directories "/tmp/.X11-unix" and "/tmp/.ICE-unix" in insecure manners. $ cat -n /etc/init.d/x11-common [...] 33if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then 34 mv $SOCKET_DIR $SOCKET_DIR.$$ 35fi 36mkdir -p $SOCKET_DIR 37chown root:root $SOCKET_DIR 38chmod 1777 $SOCKET_DIR [...] 47if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then 48 mv $ICE_DIR $ICE_DIR.$$ 49fi 50mkdir -p $ICE_DIR 51chown root:root $ICE_DIR 52chmod 1777 $ICE_DIR If a local user is able to place a symlink before the service starts (for example before the package installation process), he could gain root privileges. For example, the symlink would point to an arbitrary directory (/etc), so it won't match the conditions (lines 33 and 47) and the arbitrary directory will get its permissions changed (lines 38 and 52). As a solution, I would suggest to take care of the "mkdir" return codes (line 36 and 50). To do not change permissions on failures. Thanks. -- http://vladz.devzero.fr PGP key 8F7E2D3C from pgp.mit.edu --- End Message --- --- Begin Message --- Source: xorg Source-Version: 1:7.6+12 We believe that the bug you reported is fixed in the latest version of xorg, which is due to be installed in the Debian FTP archive: x11-common_7.6+12_all.deb to main/x/xorg/x11-common_7.6+12_all.deb xbase-clients_7.6+12_all.deb to main/x/xorg/xbase-clients_7.6+12_all.deb xorg-dev_7.6+12_all.deb to main/x/xorg/xorg-dev_7.6+12_all.deb xorg_7.6+12.dsc to main/x/xorg/xorg_7.6+12.dsc xorg_7.6+12.tar.gz to main/x/xorg/xorg_7.6+12.tar.gz xorg_7.6+12_amd64.deb to main/x/xorg/xorg_7.6+12_amd64.deb xserver-xorg-input-all_7.6+12_amd64.deb to main/x/xorg/xserver-xorg-input-all_7.6+12_amd64.deb xserver-xorg-video-all_7.6+12_amd64.deb to main/x/xorg/xserver-xorg-video-all_7.6+12_amd64.deb xserver-xorg_7.6+12_amd64.deb to main/x/xorg/xserver-xorg_7.6+12_amd64.deb xutils_7.6+12_all.deb to main/x/xorg/xutils_7.6+12_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 661...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau (supplier of updated xorg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 03 Mar 2012 18:54:30 +0100 Source: xorg Binary: x11-common xserver-xorg xserver-xorg-video-all xserver-xorg-input-all xorg xorg-dev xbase-clients xutils Architecture: source all amd64 Version: 1:7.6+12 Distribution: unstable Urgency: high Maintainer: Debian X Strike Force Changed-By: Julien Cristau Description: x11-common - X Window System (X.Org) infrastructure xbase-clients - miscellaneous X clients - metapackage xorg - X.Org X Window System xorg-dev - X.Org X Window System development libraries xserver-xorg - X.Org X server xserver-xorg-input-all - X.Org X server -- input driver metapackage xserver-xorg-video-all - X.Org X server -- output driver metapackage xutils - X Window System utility programs metapackage Closes: 661627 Changes: xorg (1:7.6+12) unstable; urgency=high . * Fix unsafe manipulation of /tmp/.X11-unix and /tmp/.ICE-unix in the x11-common init script. A malicious user could trick us into changing ownership/permissions of an arbitrary directory, and elevate their privileges (closes: #661627). Reference: CVE-2012-1093. Thanks to "vladz", Tim Morgan and Bernhard R. Link for their help getting this right (any remaining bugs are my own). Checksums-Sha1: c16d4bbe3abfa9eda5c9ebdc5d6920c785e0d323 1957 xorg_7.6+12.dsc 50d7a6e2bc7026d876de63cec2ba10f0659eb587 922670 xorg_7.6+12.tar.gz d5296c059e6d101b063e6923226538e
xorg: Changes to 'debian-unstable'
debian/changelog| 16 +++ debian/copyright| 59 +-- debian/scripts/debconf-updatepo | 197 3 files changed, 62 insertions(+), 210 deletions(-) New commits: commit 2839fa6f4314574ec28ca33d212f2411be13ded4 Author: Julien Cristau Date: Sat Mar 3 19:30:23 2012 +0100 Update debian/copyright Update debian/copyright to - add missing copyright statements - add missing license notes - not pretend the Debian and Ubuntu packages have different copyright status; parts of the package are copyright Canonical, others are copyright by various Debian folks. Still unclear if the "Copyright Software in the Public Interest, Inc." bits make sense, so leave them in for now. Closes: #630830. diff --git a/debian/changelog b/debian/changelog index fd0d9ca..2fd4c0c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,15 @@ xorg (1:7.6+13) UNRELEASED; urgency=low * Drop debian/scripts/debconf-updatepo, it looks like we're not using it anymore. + * Update debian/copyright to +- add missing copyright statements +- add missing license notes +- not pretend the Debian and Ubuntu packages have different copyright + status; parts of the package are copyright Canonical, others are + copyright by various Debian folks. +Still unclear if the "Copyright Software in the Public Interest, Inc." +bits make sense, so leave them in for now. +Closes: #630830. -- Julien Cristau Sat, 03 Mar 2012 19:16:19 +0100 diff --git a/debian/copyright b/debian/copyright index 54fc777..572288a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,11 +1,6 @@ Source Package: xorg -Debian/Ubuntu package author(s): Branden Robinson, Fabio M. Di Nitto, Daniel - Stone. - -Canonical Ltd. copyright(s)/license(s): - -Unless otherwise noted, all modifications and additions to X.Org found in -this Ubuntu package bear the following copyright and license terms: +Debian/Ubuntu package authors: Branden Robinson, Fabio M. Di Nitto, Daniel + Stone and others Copyright 2004-2005 Canonical Ltd. @@ -32,12 +27,6 @@ used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from Canonical Ltd. --- - -Debian copyright(s)/license(s): - -Unless otherwise noted, all modifications and additions to X.Org found in -this Debian package bear the following copyright and license terms: - Copyright 1996-2002 Software in the Public Interest, Inc. Permission is hereby granted, free of charge, to any person obtaining a @@ -62,3 +51,47 @@ Except as contained in this notice, the name of Software in the Public Interest, Inc. shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from Software in the Public Interest, Inc. + + +Copyright 1998-2007 Branden Robinson . +Copyright 2000, 2003, 2004 Progeny Linux Systems, Inc. +Copyright 1996 Stephen Early +Copyright 1997 Mark Eichin +Copyright 2005 David Nusinow + +This is free software; you may redistribute it and/or modify +it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2, +or (at your option) any later version. + +This is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License with +the Debian operating system, in /usr/share/common-licenses/GPL; if +not, write to the Free Software Foundation, Inc., 59 Temple Place, +Suite 330, Boston, MA 02111-1307 USA + + +© 2010-2011 Cyril Brulebois + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIG
xorg_7.6+12_amd64.changes ACCEPTED into unstable
Accepted: x11-common_7.6+12_all.deb to main/x/xorg/x11-common_7.6+12_all.deb xbase-clients_7.6+12_all.deb to main/x/xorg/xbase-clients_7.6+12_all.deb xorg-dev_7.6+12_all.deb to main/x/xorg/xorg-dev_7.6+12_all.deb xorg_7.6+12.dsc to main/x/xorg/xorg_7.6+12.dsc xorg_7.6+12.tar.gz to main/x/xorg/xorg_7.6+12.tar.gz xorg_7.6+12_amd64.deb to main/x/xorg/xorg_7.6+12_amd64.deb xserver-xorg-input-all_7.6+12_amd64.deb to main/x/xorg/xserver-xorg-input-all_7.6+12_amd64.deb xserver-xorg-video-all_7.6+12_amd64.deb to main/x/xorg/xserver-xorg-video-all_7.6+12_amd64.deb xserver-xorg_7.6+12_amd64.deb to main/x/xorg/xserver-xorg_7.6+12_amd64.deb xutils_7.6+12_all.deb to main/x/xorg/xutils_7.6+12_all.deb Override entries for your package: x11-common_7.6+12_all.deb - optional x11 xbase-clients_7.6+12_all.deb - optional x11 xorg-dev_7.6+12_all.deb - optional x11 xorg_7.6+12.dsc - source x11 xorg_7.6+12_amd64.deb - optional x11 xserver-xorg-input-all_7.6+12_amd64.deb - optional x11 xserver-xorg-video-all_7.6+12_amd64.deb - optional x11 xserver-xorg_7.6+12_amd64.deb - optional x11 xutils_7.6+12_all.deb - optional x11 Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 661627 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1s3ty9-0001yh...@franck.debian.org
