Fwd: [Xpert]XFree86 4.2.1 update release and Xlib security problem

Jeroen Coumans jeroencoumans at gmx.net
Thu Sep 5 04:51:36 PDT 2002

FYI the patch is only 54kb gzip.

----------  Forwarded Message  ----------

Subject: [Xpert]XFree86 4.2.1 update release and Xlib security problem
Date: Wed, 4 Sep 2002 21:40:32 -0400
From: David Dawes <dawes at XFree86.Org>
To: xpert at xfree86.org

XFree86 4.2.1 is now available.  This is an update release, intended
primarily to address some security issues.  Release notes can be found
at <http://www.xfree86.org/4.2.1/RELNOTES.html>, and other information
can be found at <http://www.xfree86.org/4.2.1/README.html> and
<http://www.xfree86.org/4.2.1/Install.html>.  A summary of security
updates can be found at <http://www.xfree86.org/security/>.  XFree86
 4.2.1 is available at <ftp://ftp.xfree86.org/pub/XFree86/4.2.1/>.

The main security problem that prompted this release is a vulnerability
in the Xlib modular i18n support that was added in XFree86 4.2.0.  It
makes it possible to cause a privileged Xlib client to load and execute
arbitrary code.  In the worst case this can be exploited locally to
obtain a root shell.

Releases of XFree86 prior to 4.2.0 do not have this problem.  The
 XFree86 CVS trunk and xf-4_2-branch have this fixed as of today.  A
 patch for 4.2.0 correcting just this problem can be found at

David Dawes
Release Engineer/Architect                      The XFree86 Project
Xpert mailing list
Xpert at XFree86.Org


Jeroen Coumans
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list