Bug 10708

Summary: x11-server new security issue fixed upstream
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/557791/
Whiteboard: feedback
Source RPM: x11-server-1.13.4-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-05 21:09:46 CEST 
OpenSuSE has issued an advisory today (July 5):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html

They fixed a denial of service issue, that also appears to have been fixed upstream around 1.14.0, and it is fixed in the version we have in Cauldron.

The issue, which is fixed with a one-liner patch, is described here:
https://bugzilla.novell.com/show_bug.cgi?id=815583

No CVEs are mentioned and I don't know if one was ever requested.

I wonder if Oden has access to the reproducer mentioned in the bug above.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

In the X.org x11-server, if a client sends a request larger than
maxBigRequestSize, the server is supposed to ignore it.  In some versions,
it instead attempts to gracefully ignore the request by remembering how
long the client specified the request to be, and ignoring that many bytes.
However, if a client sends a BigReq header with a large size and disconnects
before actually sending the rest of the specified request, the server will
reuse the ConnectionInput buffer without resetting the ignoreBytes field.
This makes the server ignore new X clients' requests, resulting in a denial
of service.

References:
http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html
========================

Updated packages in core/updates_testing:
========================
x11-server-1.11.4-2.3.mga2
x11-server-devel-1.11.4-2.3.mga2
x11-server-common-1.11.4-2.3.mga2
x11-server-xorg-1.11.4-2.3.mga2
x11-server-xdmx-1.11.4-2.3.mga2
x11-server-xnest-1.11.4-2.3.mga2
x11-server-xvfb-1.11.4-2.3.mga2
x11-server-xephyr-1.11.4-2.3.mga2
x11-server-xfake-1.11.4-2.3.mga2
x11-server-xfbdev-1.11.4-2.3.mga2
x11-server-source-1.11.4-2.3.mga2
x11-server-1.13.4-2.1.mga3
x11-server-devel-1.13.4-2.1.mga3
x11-server-common-1.13.4-2.1.mga3
x11-server-xorg-1.13.4-2.1.mga3
x11-server-xdmx-1.13.4-2.1.mga3
x11-server-xnest-1.13.4-2.1.mga3
x11-server-xvfb-1.13.4-2.1.mga3
x11-server-xephyr-1.13.4-2.1.mga3
x11-server-xfake-1.13.4-2.1.mga3
x11-server-xfbdev-1.13.4-2.1.mga3
x11-server-source-1.13.4-2.1.mga3

from SRPMS:
x11-server-1.11.4-2.3.mga2.src.rpm
x11-server-1.13.4-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-05 23:30:22 CEST 
Inquiry about it getting a CVE.  We'll see.
http://openwall.com/lists/oss-security/2013/07/05/12
Comment 2 David Walser 2013-07-08 13:41:10 CEST 
Sounds like the consensus is it's not an actual vulnerability:
http://openwall.com/lists/oss-security/2013/07/06/2
Comment 3 David Walser 2013-07-08 13:42:54 CEST 
Does anyone have any strong feelings about this one?  We can still issue it as a bugfix update, or just leave the fix in SVN for if we issue another update to this package later.
Comment 4 claire robinson 2013-07-08 13:57:09 CEST 
I'd vote for leave on svn. It's a patch worth having but is it worth an update on it's own? Up to you really David. By it's nature we're unlikely to find a PoC.
Comment 5 David Walser 2013-07-08 15:06:31 CEST 
It doesn't sound like it's worth its own update.  Closing as WONTFIX.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Comment 6 claire robinson 2013-07-08 16:12:36 CEST 
These will need to be removed from Testing medias.

SRPMS:
x11-server-1.11.4-2.3.mga2.src.rpm
x11-server-1.13.4-2.1.mga3.src.rpm

Could sysadmin please remove from 2 & 3 core/updates_testing.

Status: RESOLVED => REOPENED
CC: (none) => sysadmin-bugs
Resolution: WONTFIX => (none)

David Walser 2013-07-08 16:59:26 CEST

Whiteboard: (none) => feedback

Comment 7 Thomas Backlund 2013-07-09 21:56:17 CEST 
Deleted:

x11-server-1.11.4-2.3.mga2.src.rpm
x11-server-1.13.4-2.1.mga3.src.rpm

and their matching rpms

Status: REOPENED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 8 David Walser 2013-07-09 22:12:23 CEST 
Well, technically not FIXED, just not issuing updates for now, so WONTFIX.

Thanks.  Note that xdm also needs deleted (from Bug 10682).

Resolution: FIXED => WONTFIX