-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:199 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libx11 Date : November 6, 2006 Affected: 2007.0 _______________________________________________________________________ Problem Description: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: ed3642c63b1640928ebd8e997da0fd1e 2007.0/i586/libx11_6-1.0.3-2.1mdv2007.0.i586.rpm 9bf6292e8d6c030b0304efc06912cb5c 2007.0/i586/libx11_6-devel-1.0.3-2.1mdv2007.0.i586.rpm 095b10889206e2c6b012eca03547e6c0 2007.0/i586/libx11_6-static-devel-1.0.3-2.1mdv2007.0.i586.rpm fa6548ef7176c5a6e460ef9fffe077cd 2007.0/i586/libx11-common-1.0.3-2.1mdv2007.0.i586.rpm 968b2c951219986d64411b8c893463af 2007.0/SRPMS/libx11-1.0.3-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d32213d0ffd578d1bcc559557ce9a56d 2007.0/x86_64/lib64x11_6-1.0.3-2.1mdv2007.0.x86_64.rpm a93c8ea58f95f84d339f84a71476cf52 2007.0/x86_64/lib64x11_6-devel-1.0.3-2.1mdv2007.0.x86_64.rpm 0209595d4383b158efd2156f92f3fa89 2007.0/x86_64/lib64x11_6-static-devel-1.0.3-2.1mdv2007.0.x86_64.rpm 498a8fb81c8f94b708467b112deae6be 2007.0/x86_64/libx11-common-1.0.3-2.1mdv2007.0.x86_64.rpm 968b2c951219986d64411b8c893463af 2007.0/SRPMS/libx11-1.0.3-2.1mdv2007.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFT8mGmqjQ0CJFipgRAnxQAJ4uXFcmiod3UYKMQwUTu7rxLZa09wCfU11h 2VIRgKL/chUG7QNW45yZhmc= =L/v3 -----END PGP SIGNATURE-----