[Security Announce] [ MDKSA-2006:199 ] - Updated libx11 packages fix file descriptor leak vulnerability
Posted on: 11/07/2006 04:05 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:199
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libx11
Date : November 6, 2006
Affected: 2007.0
_______________________________________________________________________

Problem Description:

The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and
1.0.3 opens a file for reading twice using the same file descriptor,
which causes a file descriptor leak that allows local users to read
files specified by the XCOMPOSEFILE environment variable via the
duplicate file descriptor.

Updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
ed3642c63b1640928ebd8e997da0fd1e 2007.0/i586/libx11_6-1.0.3-2.1mdv2007.0.i586.rpm
9bf6292e8d6c030b0304efc06912cb5c 2007.0/i586/libx11_6-devel-1.0.3-2.1mdv2007.0.i586.rpm
095b10889206e2c6b012eca03547e6c0 2007.0/i586/libx11_6-static-devel-1.0.3-2.1mdv2007.0.i586.rpm
fa6548ef7176c5a6e460ef9fffe077cd 2007.0/i586/libx11-common-1.0.3-2.1mdv2007.0.i586.rpm
968b2c951219986d64411b8c893463af 2007.0/SRPMS/libx11-1.0.3-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
d32213d0ffd578d1bcc559557ce9a56d 2007.0/x86_64/lib64x11_6-1.0.3-2.1mdv2007.0.x86_64.rpm
a93c8ea58f95f84d339f84a71476cf52 2007.0/x86_64/lib64x11_6-devel-1.0.3-2.1mdv2007.0.x86_64.rpm
0209595d4383b158efd2156f92f3fa89 2007.0/x86_64/lib64x11_6-static-devel-1.0.3-2.1mdv2007.0.x86_64.rpm
498a8fb81c8f94b708467b112deae6be 2007.0/x86_64/libx11-common-1.0.3-2.1mdv2007.0.x86_64.rpm
968b2c951219986d64411b8c893463af 2007.0/SRPMS/libx11-1.0.3-2.1mdv2007.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFT8mGmqjQ0CJFipgRAnxQAJ4uXFcmiod3UYKMQwUTu7rxLZa09wCfU11h
2VIRgKL/chUG7QNW45yZhmc=
=L/v3
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006199__updated_libx11_packages_fix_file_descriptor_leak_vulnerability.html)