Debian Security Advisory

XFree86 -- symbolic link can be used to make any file world readable

Date Reported:
31 Mar 1999
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 326.
In Mitre's CVE dictionary: CVE-1999-0433.
More information:
Some versions of the X windowing system will make /tmp/.X11-unix world readable, even if that location is a symbolic link to another file on the system. Debian 2.1 (slink) is not affected by this problem.

It appears that the bug was originally reported for a NetBSD system on Packetstorm - March 1999 exploits, the page has a reference showing that Linux is also vulnerable. Additionally, SUSE Security Announcement for this vulnerability is available on this BugTraq list - 1999 Mar (0216) page.