Security update to X11, -current only

Franklin · 03-20-2006, 07:51 PM

Just an FYI.

Those running -current with the new X11 will need to update due to security issues.

http://www.slackware.org/changelog/current.php?cpu=i386

stable is not affected.

gravityworks · 03-20-2006, 10:02 PM

well this xorg upgrade went very wrong for me..after the upgrade i couldn't log into kde as user ,but could as root..not sure if this is just a problem with my setup or something screwy with this xorg update..luckely i have a spare slack install,just for when things go bad in current..anybody else experience this?

kodon · 03-21-2006, 12:43 AM

yeah. Xorg isn't suid in the new package...
i just manually chmod'ed it

bird603568 · 03-21-2006, 12:50 AM

yep i haf to down grade to 10.2 then down grade kde but you are right it isnt setuided

gravityworks · 03-21-2006, 12:56 AM

okay great,thanks for the responses Kodon and bird603568..was starting to second guess myself,thought i might have done something wrong..i guess this is just parr for the coarse when playing with current..sometimes(although very rare)things don't work out like they should.

willysr · 03-21-2006, 04:18 AM

what file/directory that should be chmod'ed??
i will try to upgrade it today

Speek · 03-21-2006, 04:42 AM

chmod u+s /usr/X11R6/bin/Xorg

willysr · 03-21-2006, 04:46 AM

thanks, that will makes my upgrade simpler

chess · 03-21-2006, 06:50 AM

Please let Pat V. know about these problems.

willysr · 03-21-2006, 06:48 PM

i have done it just now
Thanks for the solution. It worked like charm

willysr · 03-21-2006, 07:00 PM

Here's Pat reply :

Quote:

Thanks, this is fixed already but not at all mirrors (along with a
looooong explanation/excuse in the ChangeLog ;-)

and here's the new Changelog

Quote:

Tue Mar 21 11:17:27 CST 2006
x/x11-6.9.0-i486-3.tgz: Fixed /usr/X11R6/bin/Xorg, which due to being not
setuid root could not be used by non-root users. Thanks to the many people
who reported this issue. I tracked it down to a new (or rather, back again)
behavior of "chown", which is removing the suid/sgid bits from any file that
it touches. I remember this same situation from the old days, and it's
why many of the older package builds use a package skeleton and then install
binaries using "cat" -- this prevents the changing of the permissions.
If I recall correctly, "strip" also used to do this. Looking in the kernel
source, I see some mention in fs/open.c about doing this as a safety feature.
IMO, it doesn't seem like the right thing to do, though. If I want chmod,
I'll use it, thank you. However, it looks like the feature was added years
ago, and I have no idea why it has just recently kicked in. I've gone back
and tested on a Slackware 10.2 box, and it's also showing the same effects
with "chown", so it seems to me that this sort of breakage should have
been happening when the x11*-6.9.0-i486-1.tgz packages were built, too,
but Xorg was properly setuid in that package set. I tried dropping back
to the previous coreutils, and this also didn't help. It's a mystery.
Anyway, my first thought was to simply move the "chmod 4711" on Xorg to
after the last "chown" in the build script, but decided that the best way
to handle this is to begin phasing out the use of the "bin" group on
binaries and binary directories. There was never any use to this ever, so
far as I can tell. I think someone working on the FHS just thought that
root:bin looked nicer, or something. ;-) Most distributions install
binaries as root:root now anyway, and the latest standards no longer
require root:bin. Since it doesn't matter, don't expect everything to
change all at once -- don't send bug reports concerning files or
directories that "should be" root:bin or root:root. We will move away
from root:bin to root:root as new packages are built.
I sure hope "strip" doesn't start acting up next...
x/x11-devel-6.9.0-i486-3.tgz: Rebuilt. Really, there was no need to rebuild
this or the below packages, but I like a consistent build number when it's
not too much trouble to have it.
x/x11-docs-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-docs-html-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-fonts-100dpi-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-fonts-cyrillic-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-fonts-misc-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-fonts-scale-6.9.0-noarch-3.tgz: Rebuilt.
x/x11-xdmx-6.9.0-i486-3.tgz: Recompiled.
x/x11-xnest-6.9.0-i486-3.tgz: Recompiled.
x/x11-xvfb-6.9.0-i486-3.tgz: Recompiled.
+--------------------------+

Franklin · 03-21-2006, 07:28 PM

Very odd. I did not have a problem at all ...

Just checked and I used the pre-fix version. I wonder if its only an issue with 2.6 kernels. Don't know what everyone else is using kernel-wise in this thread. I have not upgraded my 2.6.15.6 box yet. Time to try and break something

Everything fine on 2.6 box too. Weird

willysr · 03-21-2006, 07:34 PM

i don't know whether i'm infected or not, since i apply the solution after i upgraded my Xorg packages, but as far as i know, it worked and Pat has also received some reports that the new Xorg packages was broken

bird603568 · 03-21-2006, 08:16 PM

Quote:

Originally Posted by willysr

i don't know whether i'm infected or not, since i apply the solution after i upgraded my Xorg packages, but as far as i know, it worked and Pat has also received some reports that the new Xorg packages was broken

infected? What do you mean by infected

willysr · 03-22-2006, 12:17 AM

i mean 'affected' by the bugs