Slackware 8.1 XFree 4.2 Security Announcements

Hi LWN.net-Team,

I just discovered that there are updated XFree86 4.2 packages for
Slackware Linux 8.1. From the Changelog:

Wed Sep  4 19:20:44 PDT 2002
patches/packages/kernel-modules-2.4.18-i386-5.tgz:  Updated XFree86 DRI
  modules in /lib/modules/2.4.18/kernel/drivers/char/drm/.
patches/packages/xfree86-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-devel-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-docs-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-docs-html-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-xnest-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-xprt-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.
patches/packages/xfree86-xvfb-4.2.1-i386-1.tgz:  Upgraded to XFree86 4.2.1.

These are new XFree86 4.2.1 packages for Slackware 8.1.  Note that among the
changes are these security patches (from the RELNOTES):

  2.1  Security

     o  Fix a zlib bug that may have security implications on some platforms.

     o  MIT-SHM update to not access SHM segments that the client doesn't have
        sufficient privileges to access.

     o  Fix an Xlib problem that made it possible to load (and execute) arbi-
        trary code in privileged clients.

The first issue (zlib) was already patched in Slackware prior to the release
of 8.1, but these other two fixes are new.  The Xlib issue in particular can
be locally exploited to gain root access through setuid root binaries linked
with libX11.

Note that there are no changes to the fonts packages (xfree86-fonts-*.tgz),
and the xfree86-fonts packages released with Slackware 8.1 should continue
to be used.

(* Security fix *)

Maybe this news is worth a posting? Anyway - your site is the best!

Michael
m.sprinzl@chello.at

Too many people spend money they haven't earned, to buy things they don't want, to impress people they don't like. --- Will Rogers 1879