Bug 10565

Summary: Multiple vulnerabilities in X.Org (Mageia 3)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, rverschelde, sysadmin-bugs, thierry.vignaud, tmb, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/551694/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 10105    

Description David Walser 2013-06-19 20:10:23 CEST 
This is a bug for QA to release the X.org security update for Mageia 3.

The main bug for these security issues is Bug 10105.

Most of the security issues are listed in this upstream advisory:
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23

There was an additional CVE for Mesa, announced in this RedHat advisory:
https://rhn.redhat.com/errata/RHSA-2013-0897.html

which was taken from http://lwn.net/Vulnerabilities/552862/

A full advisory for this update will be posted here later.

For the package list, first, here is the list of SRPMs:
libdmx-1.1.3-1.mga3.src.rpm
libfs-1.0.5-1.mga3.src.rpm
libx11-1.5.99.902-1.mga3.src.rpm
libxcb-1.9.1-1.mga3.src.rpm
libxcursor-1.1.14-1.mga3.src.rpm
libxext-1.3.2-1.mga3.src.rpm
libxfixes-5.0.1-1.mga3.src.rpm
libxi-1.6.2.901-1.mga3.src.rpm
libxinerama-1.1.3-1.mga3.src.rpm
libxp-1.0.2-1.mga3.src.rpm
libxrandr-1.4.1-1.mga3.src.rpm
libxrender-0.9.8-1.mga3.src.rpm
libxres-1.0.7-1.mga3.src.rpm
libxt-1.1.4-1.mga3.src.rpm
libxtst-1.2.2-1.mga3.src.rpm
libxv-1.0.8-1.mga3.src.rpm
libxvmc-1.0.8-1.mga3.src.rpm
libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm-1.1.3-1.mga3.src.rpm
mesa-9.1.3-1.1.mga3.src.rpm
x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

Here is the full list of RPMs:
libxi6-1.6.2.901-1.mga3
libxi-devel-1.6.2.901-1.mga3
libxi-static-devel-1.6.2.901-1.mga3
x11-driver-video-openchrome-0.3.3-1.mga3
libdmx1-1.1.3-1.mga3
libdmx-devel-1.1.3-1.mga3
libdmx-static-devel-1.1.3-1.mga3
libfs6-1.0.5-1.mga3
libfs-devel-1.0.5-1.mga3
libfs-static-devel-1.0.5-1.mga3
libxfixes3-5.0.1-1.mga3
libxfixes3-devel-5.0.1-1.mga3
libxfixes3-static-devel-5.0.1-1.mga3
libxcursor1-1.1.14-1.mga3
libxcursor-devel-1.1.14-1.mga3
libxcursor-static-devel-1.1.14-1.mga3
libxp6-1.0.2-1.mga3
libxp-devel-1.0.2-1.mga3
libxp-static-devel-1.0.2-1.mga3
libxt6-1.1.4-1.mga3
libxt-devel-1.1.4-1.mga3
libxt-static-devel-1.1.4-1.mga3
libxres1-1.0.7-1.mga3
libxres1-devel-1.0.7-1.mga3
libxres1-static-devel-1.0.7-1.mga3
libxxf86vm1-1.1.3-1.mga3
libxxf86vm-devel-1.1.3-1.mga3
libxxf86vm-static-devel-1.1.3-1.mga3
libxxf86dga1-1.1.4-1.mga3
libxxf86dga-devel-1.1.4-1.mga3
libxxf86dga-static-devel-1.1.4-1.mga3
libxcb1-1.9.1-1.mga3
libxcb-devel-1.9.1-1.mga3
libxcb-static-devel-1.9.1-1.mga3
libxcb-doc-1.9.1-1.mga3
libxcb-composite0-1.9.1-1.mga3
libxcb-damage0-1.9.1-1.mga3
libxcb-dpms0-1.9.1-1.mga3
libxcb-dri2_0-1.9.1-1.mga3
libxcb-glx0-1.9.1-1.mga3
libxcb-randr0-1.9.1-1.mga3
libxcb-record0-1.9.1-1.mga3
libxcb-render0-1.9.1-1.mga3
libxcb-res0-1.9.1-1.mga3
libxcb-screensaver0-1.9.1-1.mga3
libxcb-shape0-1.9.1-1.mga3
libxcb-shm0-1.9.1-1.mga3
libxcb-sync0-1.9.1-1.mga3
libxcb-xevie0-1.9.1-1.mga3
libxcb-xf86dri0-1.9.1-1.mga3
libxcb-xfixes0-1.9.1-1.mga3
libxcb-xinerama0-1.9.1-1.mga3
libxcb-xprint0-1.9.1-1.mga3
libxcb-xtest0-1.9.1-1.mga3
libxcb-xv0-1.9.1-1.mga3
libxcb-xvmc0-1.9.1-1.mga3
libxinerama1-1.1.3-1.mga3
libxinerama1-devel-1.1.3-1.mga3
libxinerama1-static-devel-1.1.3-1.mga3
libxtst6-1.2.2-1.mga3
libxtst6-devel-1.2.2-1.mga3
libxtst6-static-devel-1.2.2-1.mga3
libxv1-1.0.8-1.mga3
libxv1-devel-1.0.8-1.mga3
libxv1-static-devel-1.0.8-1.mga3
libxrandr2-1.4.1-1.mga3
libxrandr2-devel-1.4.1-1.mga3
libxrandr2-static-devel-1.4.1-1.mga3
libxext6-1.3.2-1.mga3
libxext6-devel-1.3.2-1.mga3
libxext6-static-devel-1.3.2-1.mga3
libx11_6-1.6.0-1.mga3
libx11_6-devel-1.6.0-1.mga3
libx11_6-static-devel-1.6.0-1.mga3
libx11-common-1.6.0-1.mga3
libx11-doc-1.6.0-1.mga3
libxrender1-0.9.8-1.mga3
libxrender1-devel-0.9.8-1.mga3
libxrender1-static-devel-0.9.8-1.mga3
libxvmc1-1.0.8-1.mga3
libxvmc1-devel-1.0.8-1.mga3
libxvmc1-static-devel-1.0.8-1.mga3
mesa-9.1.3-1.1.mga3
libdricore1-9.1.3-1.1.mga3
libdricore1-devel-9.1.3-1.1.mga3
libmesagl1-9.1.3-1.1.mga3
libdri-drivers-9.1.3-1.1.mga3
libmesagl1-devel-9.1.3-1.1.mga3
libmesaegl1-9.1.3-1.1.mga3
libmesaegl1-devel-9.1.3-1.1.mga3
libosmesa8-9.1.3-1.1.mga3
libosmesa-devel-9.1.3-1.1.mga3
libglapi0-9.1.3-1.1.mga3
libglapi0-devel-9.1.3-1.1.mga3
libmesaglesv1_1-9.1.3-1.1.mga3
libmesaglesv1_1-devel-9.1.3-1.1.mga3
libmesaglesv2_2-9.1.3-1.1.mga3
libmesaglesv2_2-devel-9.1.3-1.1.mga3
libmesaopenvg1-9.1.3-1.1.mga3
libmesaopenvg1-devel-9.1.3-1.1.mga3
libllvmradeon9.1.3-9.1.3-1.1.mga3
libgbm1-9.1.3-1.1.mga3
libgbm1-devel-9.1.3-1.1.mga3
libwayland-egl1-9.1.3-1.1.mga3
libwayland-egl1-devel-9.1.3-1.1.mga3
libvdpau-driver-nouveau-9.1.3-1.1.mga3
libvdpau-driver-r300-9.1.3-1.1.mga3
libvdpau-driver-r600-9.1.3-1.1.mga3
libvdpau-driver-radeonsi-9.1.3-1.1.mga3
libvdpau-driver-softpipe-9.1.3-1.1.mga3
mesa-common-devel-9.1.3-1.1.mga3

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-19 20:10:54 CEST

CC: (none) => thierry.vignaud
Blocks: (none) => 10105

Comment 1 Thomas Backlund 2013-06-19 20:15:22 CEST 
mesa for tainted repos need to be submitted too

CC: (none) => tmb

Comment 2 David Walser 2013-06-19 20:20:18 CEST 
(In reply to Thomas Backlund from comment #1)
> mesa for tainted repos need to be submitted too

Welcome back Thomas!  :o)

Thanks, it's building in tainted right now.
Comment 3 David Walser 2013-06-19 21:24:55 CEST 
Advisory:
========================

Updated X.org packages fix security vulnerabilities:

Ilja van Sprundel of IOActive discovered several security issues in multiple
components of the X.org graphics stack and the related libraries: Various
integer overflows, sign handling errors in integer conversions, buffer
overflows, memory corruption and missing input sanitising may lead to
privilege escalation or denial of service (CVE-2013-1981, CVE-2013-1982,
CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987,
CVE-2013-1988, CVE-2013-1989, CVE-2013-1990, CVE-2013-1991, CVE-2013-1992,
CVE-2013-1993, CVE-2013-1994, CVE-2013-1995, CVE-2013-1996, CVE-2013-1997,
CVE-2013-1998, CVE-2013-1999, CVE-2013-2000, CVE-2013-2001, CVE-2013-2002,
CVE-2013-2003, CVE-2013-2004, CVE-2013-2005, CVE-2013-2062, CVE-2013-2063,
CVE-2013-2064, CVE-2013-2066).

An out-of-bounds access flaw was found in Mesa. If an application using
Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does
this), an attacker could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application (CVE-2013-1872).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1989
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1998
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2066
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
https://rhn.redhat.com/errata/RHSA-2013-0897.html
http://www.debian.org/security/2013/dsa-2673
http://www.debian.org/security/2013/dsa-2674
http://www.debian.org/security/2013/dsa-2675
http://www.debian.org/security/2013/dsa-2676
http://www.debian.org/security/2013/dsa-2677
http://www.debian.org/security/2013/dsa-2678
http://www.debian.org/security/2013/dsa-2679
http://www.debian.org/security/2013/dsa-2680
http://www.debian.org/security/2013/dsa-2681
http://www.debian.org/security/2013/dsa-2682
http://www.debian.org/security/2013/dsa-2683
http://www.debian.org/security/2013/dsa-2684
http://www.debian.org/security/2013/dsa-2685
http://www.debian.org/security/2013/dsa-2686
http://www.debian.org/security/2013/dsa-2687
http://www.debian.org/security/2013/dsa-2688
http://www.debian.org/security/2013/dsa-2689
http://www.debian.org/security/2013/dsa-2690
http://www.debian.org/security/2013/dsa-2691
http://www.debian.org/security/2013/dsa-2692
http://www.debian.org/security/2013/dsa-2693
David Walser 2013-06-19 21:30:55 CEST

Severity: normal => critical

Comment 4 William Kenney 2013-06-21 17:24:13 CEST 
MGA3-32-OK

mesa-demo update_testing ( teapot ) worked for me on:

Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
GigaByte  GA-81915G Pro F4  i915G  LGA 775  MoBo
 Marvel Yukon 88E8001 Gigabit LAN
 Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel)
 Intel Graphics Media Accelerator 900 (Intel 82915G)

CC: (none) => wilcal.int

Comment 5 Lewis Smith 2013-06-21 19:57:58 CEST 
MGA3-32-OK

This update does not seem to have caused me any problems. My system works as previously. Video h/w is on-board
 SiS 660 or 661 or 662
and the AMD Sempron processor does *not* have sse2 extensions.

CC: (none) => lewyssmith

Comment 6 William Kenney 2013-06-22 02:55:43 CEST 
MGA3-64-OK

mesa-demo update_testing ( teapot ) worked for me on:

nVidia driver installed and working
SandyBridge - Video editing machine
-----------------------------------
Intel Core i7-2600K Sandy Bridge 3.4GHz overclocked to 3.8GHz LGA 1155 95W
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 Intel Z68 SATA 6Gb/s USB 3.0 ATX Intel MB
GIGABYTE GV-N440D3-1GI GeForce GT 440 (Fermi) 1GB 128-bit DDR3 PCI Express 2.0 x16
RTL8111/8168B PCI Express 1Gbit Ethernet
CORSAIR Vengeance 16GB (4 x 4GB) 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800)
OCZ Vertex 4 VTX4-25SAT3-128G 2.5" 128GB SATA III
Sony Optiarc CD/DVD Burner Black SATA Model AD-7260S-0B
Thermaltake V9 BlacX Edition with Docking Station
Cooler Master Hyper 212 Plus CPU Cooler
Kingwin KF-91-BK SATA Mobile Rack
Kingwin KF-91-T-BK SATA Mobile Rack Tray
Logitech K520 Wireless USB Keyboard & Mouse

I tried it with Compiz Fusion installed, and turned on, and that worked too.
Comment 7 Rémi Verschelde 2013-06-23 13:49:00 CEST 
MGA3-32-OK, tested with several applications from mesa-demo (teapot, tunnel2, glxgears, etc.)

Video HW is on-board ATI Radeon Xpress 200M (RC410M), see Akien on our QA hardware list: https://wiki.mageia.org/en/QA_iso_hardware_list#Notebooks

Used driver in XFdrake is "ATI > Radeon HD 4870 and earlier".

CC: (none) => remi

Comment 8 Rémi Verschelde 2013-06-23 14:08:14 CEST 
(In reply to Rémi Verschelde from comment #7)
> MGA3-32-OK, tested with several applications from mesa-demo (teapot,
> tunnel2, glxgears, etc.)
> 
Tested both mesa from core/updates_testing and from tainted/updates_testing.
Comment 9 claire robinson 2013-06-25 08:53:53 CEST 
2 sets of srpms (core, tainted) 

libdmx-1.1.3-1.mga3.src.rpm
libfs-1.0.5-1.mga3.src.rpm
libx11-1.5.99.902-1.mga3.src.rpm
libxcb-1.9.1-1.mga3.src.rpm
libxcursor-1.1.14-1.mga3.src.rpm
libxext-1.3.2-1.mga3.src.rpm
libxfixes-5.0.1-1.mga3.src.rpm
libxi-1.6.2.901-1.mga3.src.rpm
libxinerama-1.1.3-1.mga3.src.rpm
libxp-1.0.2-1.mga3.src.rpm
libxrandr-1.4.1-1.mga3.src.rpm
libxrender-0.9.8-1.mga3.src.rpm
libxres-1.0.7-1.mga3.src.rpm
libxt-1.1.4-1.mga3.src.rpm
libxtst-1.2.2-1.mga3.src.rpm
libxv-1.0.8-1.mga3.src.rpm
libxvmc-1.0.8-1.mga3.src.rpm
libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm-1.1.3-1.mga3.src.rpm
mesa-9.1.3-1.1.mga3.src.rpm
x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

libdmx-1.1.3-1.mga3.tainted.src.rpm
libfs-1.0.5-1.mga3.tainted.src.rpm
libx11-1.5.99.902-1.mga3.tainted.src.rpm
libxcb-1.9.1-1.mga3.tainted.src.rpm
libxcursor-1.1.14-1.mga3.tainted.src.rpm
libxext-1.3.2-1.mga3.tainted.src.rpm
libxfixes-5.0.1-1.mga3.tainted.src.rpm
libxi-1.6.2.901-1.mga3.tainted.src.rpm
libxinerama-1.1.3-1.mga3.tainted.src.rpm
libxp-1.0.2-1.mga3.tainted.src.rpm
libxrandr-1.4.1-1.mga3.tainted.src.rpm
libxrender-0.9.8-1.mga3.tainted.src.rpm
libxres-1.0.7-1.mga3.tainted.src.rpm
libxt-1.1.4-1.mga3.tainted.src.rpm
libxtst-1.2.2-1.mga3.tainted.src.rpm
libxv-1.0.8-1.mga3.tainted.src.rpm
libxvmc-1.0.8-1.mga3.tainted.src.rpm
libxxf86dga-1.1.4-1.mga3.tainted.src.rpm
libxxf86vm-1.1.3-1.mga3.tainted.src.rpm
mesa-9.1.3-1.1.mga3.tainted.src.rpm
x11-driver-video-openchrome-0.3.3-1.mga3.tainted.src.rpm
Comment 10 claire robinson 2013-06-25 09:15:38 CEST 
Advisory uploaded.

Validating

Could sysadmin please push from 3 core and tainted updates testing to updates.

Thanks!

Keywords: (none) => validated_update
Whiteboard: (none) => has_procedure mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 11 claire robinson 2013-06-25 09:43:20 CEST 
Suspect the tainted srpm list is incorrect. 

Could somebody add the correct tainted srpm list please and I'll update the advisory.

Keywords: validated_update => (none)

Comment 12 David Walser 2013-06-25 11:59:01 CEST 
The only package also built in tainted is mesa, the rest are only in core.
mesa-9.1.3-1.1.mga3.src.rpm
Comment 13 David Walser 2013-06-25 12:11:29 CEST 
So from the RPMS list in Comment 0, they're all in core.  The following packages built from the Mesa SRPM are in both core and tainted.
mesa-9.1.3-1.1.mga3
libdricore1-9.1.3-1.1.mga3
libdricore1-devel-9.1.3-1.1.mga3
libmesagl1-9.1.3-1.1.mga3
libdri-drivers-9.1.3-1.1.mga3
libmesagl1-devel-9.1.3-1.1.mga3
libmesaegl1-9.1.3-1.1.mga3
libmesaegl1-devel-9.1.3-1.1.mga3
libosmesa8-9.1.3-1.1.mga3
libosmesa-devel-9.1.3-1.1.mga3
libglapi0-9.1.3-1.1.mga3
libglapi0-devel-9.1.3-1.1.mga3
libmesaglesv1_1-9.1.3-1.1.mga3
libmesaglesv1_1-devel-9.1.3-1.1.mga3
libmesaglesv2_2-9.1.3-1.1.mga3
libmesaglesv2_2-devel-9.1.3-1.1.mga3
libmesaopenvg1-9.1.3-1.1.mga3
libmesaopenvg1-devel-9.1.3-1.1.mga3
libllvmradeon9.1.3-9.1.3-1.1.mga3
libgbm1-9.1.3-1.1.mga3
libgbm1-devel-9.1.3-1.1.mga3
libwayland-egl1-9.1.3-1.1.mga3
libwayland-egl1-devel-9.1.3-1.1.mga3
libvdpau-driver-nouveau-9.1.3-1.1.mga3
libvdpau-driver-r300-9.1.3-1.1.mga3
libvdpau-driver-r600-9.1.3-1.1.mga3
libvdpau-driver-radeonsi-9.1.3-1.1.mga3
libvdpau-driver-softpipe-9.1.3-1.1.mga3
mesa-common-devel-9.1.3-1.1.mga3
Comment 14 claire robinson 2013-06-25 12:34:02 CEST 
So mesa-9.1.3-1.1.mga3.tainted then.

Sorry David, thanks for clarifying. I know you disagree on this from packaging perspective but we do need it this way from QA & sysadmin perspective :)

Revalidating. Amended advisory on svn.

Could sysadmin please push.

Thanks!

Keywords: (none) => validated_update

Comment 15 Nicolas Vigier 2013-06-26 20:35:19 CEST 
http://advisories.mageia.org/MGASA-2013-0186.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:56 CEST

CC: boklm => (none)