From owner-cvs-all Wed Sep 13 12: 9:40 2000 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 26F1937B422; Wed, 13 Sep 2000 12:09:37 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA39263; Wed, 13 Sep 2000 12:09:37 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 13 Sep 2000 12:09:37 -0700 (PDT) From: Kris Kennaway To: Ade Lovett Cc: Yukihiro Nakai , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/x11/gdm - Imported sources In-Reply-To: <20000913111908.T61662@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 13 Sep 2000, Ade Lovett wrote: > On Thu, Sep 14, 2000 at 01:07:02AM +0900, Yukihiro Nakai wrote: > > Sorry I didn't know it's still such a headache. > > > > I think many users want to use gdm even if it works only on > > standalone machine so how is to set it broken and warn to users > > it's very exploitable, or should I delete all until the more secure > > gdm will be released ? > > At the bare minimum, I would suggest doing something similar to > ports/x11/XFree86-4, which pops up a dialog box warning that > gdm may contain vulnerabilities leading to local root compromise > (I don't think it was ever remote-rootable, but I could be wrong). I believe it was, if configured to listen on the network. I'm not sure if that is the default or not. Probably the thing to do is to check the bugtraq archives for known problems and/or the linux security advisories about it, and then make an appropriate warning. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message