Security Information / 1999 / Security Information -- XFree86

Debian Security Advisory

XFree86 -- symbolic link can be used to make any file world readable

Date Reported:

31 Mar 1999

Affected Packages:

none

Vulnerable:

No

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 326.
In Mitre's CVE dictionary: CVE-1999-0433.

More information:

Some versions of the X windowing system will make /tmp/.X11-unix world readable, even if that location is a symbolic link to another file on the system. Debian 2.1 (slink) is not affected by this problem.

It appears that the bug was originally reported for a NetBSD system on Packetstorm - March 1999 exploits, the page has a reference showing that Linux is also vulnerable. Additionally, SUSE Security Announcement for this vulnerability is available on this BugTraq list - 1999 Mar (0216) page.