The X.Org X wrapper (xserver-wrapper.c) in Debian GNU/Linux and Ubuntu
Linux does not properly verify the TTY of a user who is starting X, which
allows local users to bypass intended access restrictions by associating
stdin with a file that is misinterpreted as the console TTY.
jdstrand> requires pty access. In combination with CVE-2011-4029 this becomes
more important, but that CVE is fixed in Ubuntu.
mdeslaur> Debian fixed this by dropping support for alternate TTY devices,
mdeslaur> which we need for upstart support. See changelog for
mdeslaur> (1:7.4~2ubuntu2) and (1:7.4~4).
Updated: 2015-10-17 03:37:08 UTC (commit 10086)