Bug 10799

Summary: xlockmore new security issue CVE-2013-4143
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, martynvidler, sysadmin-bugs, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/560031/
Whiteboard: MGA3-32-OK MGA3-64-OK
Source RPM: xlockmore-5.41-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-18 20:37:03 CEST 
A CVE was assigned for a security issue fixed in xlockmore 5.43:
http://openwall.com/lists/oss-security/2013/07/18/6

xlockmore was updated to 5.43 in Cauldron by eatdirt.

I have uploaded patched packages for Mageia 2 and Mageia 3.

Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.43 contains a security flaw related to potential NULL
pointer dereferences when authenticating via glibc 2.17+'s crypt() function.
Under certain conditions the NULL pointers can trigger a crash in xlockmore
effectively bypassing the screen lock (CVE-2013-4143).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143
http://openwall.com/lists/oss-security/2013/07/16/8
========================

Updated packages in core/updates_testing:
========================
xlockmore-5.38-2.2.mga2
xlockmore-gtk2-5.38-2.2.mga2
xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3

from SRPMS:
xlockmore-5.38-2.2.mga2.src.rpm
xlockmore-5.41-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-18 20:38:14 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 martyn vidler 2013-07-19 21:21:24 CEST 
Tested MGA2 32

xlockmore-5.38.2.1.mga2 installed
Ran xlock which then launches screensaver and locks screen enter user passwd to release.

Updated xlockmore
$MIRRORLIST: media/core/updates_testing/xlockmore-5.38-2.2.mga2.i586.rpm
installing xlockmore-5.38-2.2.mga2.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     #######################################################
      1/1: xlockmore

Ran xlock again screensaver launches screen locked
entered user passwd released screen

I will test on the other archs, If there are any other procdures I should run let me know.

CC: (none) => martynvidler
Whiteboard: MGA2TOO => MGA2TOO MGA2-32-ok

Comment 2 Dave Hodgins 2013-07-19 22:12:21 CEST 
Advisory 10799.adv added to svn

CC: (none) => davidwhodgins

Comment 3 David Walser 2013-07-19 22:16:10 CEST 
This security bug falls into a class of issues caused by a behavior change in glibc's crypt() function.  Basically it sounds like trying to authenticate for a user account with a corrupted password hash in /etc/shadow can cause crashes.  See the Novell bug linked in Bug 10682 for more details, which could possibly help you figure out how to reproduce the issue.
Comment 4 David Walser 2013-07-20 03:27:06 CEST 
And since we don't have glibc 2.17 on Mageia 2, this issue shouldn't be valid there.  This issue is only valid for Mageia 3.

Dave, please edit out Mageia 2 from the list of packages.  When this is validated, we can ask the sysadmins to remove the package from Mageia 2 updates_testing.

Sorry, I guess my brain wasn't fully engaged today :o(

Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.43 contains a security flaw related to potential NULL
pointer dereferences when authenticating via glibc 2.17+'s crypt() function.
Under certain conditions the NULL pointers can trigger a crash in xlockmore
effectively bypassing the screen lock (CVE-2013-4143).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143
http://openwall.com/lists/oss-security/2013/07/16/8
========================

Updated packages in core/updates_testing:
========================
xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3

from xlockmore-5.41-2.1.mga3.src.rpm

Whiteboard: MGA2TOO MGA2-32-ok => (none)

Comment 5 William Kenney 2013-07-20 05:01:32 CEST 
Tested MGA3-32-OK

xlockmore ver 5.41-2 installed then launched from desktop icon.

xlockmore ver 5.41-2.1 from updates_testing installed
then relaunched from desktop icon successfully.

Test platform:
 Intel Core i7-2600K Sandy Bridge 3.4GHz
 GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
 GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
 RTL8111/8168B PCI Express 1Gbit Ethernet
 DRAM 16GB (4 x 4GB)
 VirtualBox 4.2.12-2.mga3

Update validated

Advisory:
=================================
This update corrects a CVE security issue in xlockmore.


Updated packages in core/updates_testing:
=================================

xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3
xlockmore-5.41-2.1.mga3.src.rpm

from SRPMS:
xlockmore-5.41-2.1.mga3.src.rpm

CC: (none) => wilcal.int

William Kenney 2013-07-20 05:02:08 CEST

Whiteboard: (none) => MGA3-32-OK

Comment 6 William Kenney 2013-07-20 05:24:49 CEST 
Tested MGA3-64-OK

xlockmore ver 5.41-2 installed then launched from desktop icon.

xlockmore ver 5.41-2.1 from updates_testing installed
then relaunched from desktop icon successfully.

Test platform:
 Intel Core i7-2600K Sandy Bridge 3.4GHz
 GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
 GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
 RTL8111/8168B PCI Express 1Gbit Ethernet
 DRAM 16GB (4 x 4GB)
 VirtualBox 4.2.12-2.mga3

Update validated

Advisory:
=================================
This update corrects a CVE security issue in xlockmore.


Updated packages in core/updates_testing:
=================================

xlockmore-5.41-2.1.mga3.x86_64.rpm
xlockmore-gtk2-5.41-2.1.mga3.x86_64.rpm

from SRPMS:
xlockmore-5.41-2.1.mga3.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.


Thank you!

Whiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OK

William Kenney 2013-07-20 05:27:58 CEST

CC: (none) => sysadmin-bugs

Comment 7 David Walser 2013-07-20 12:12:22 CEST 
William, thanks for testing, but don't create new advisories please.  One was already given in Comment 0 and Comment 4.
Comment 8 claire robinson 2013-07-20 14:25:20 CEST 
Advisory updated on svn to remove mga2 package.
Comment 9 David Walser 2013-07-20 22:59:39 CEST 
This looks ready to have the validated_update keyword added.
Comment 10 Dave Hodgins 2013-07-21 04:31:21 CEST 
Could someone from the sysadmin team push 10799.adv to updates and
remove xlockmore-5.38-2.2.mga2.src.rpm from updates testing.

Keywords: (none) => validated_update

Comment 11 Dave Hodgins 2013-07-21 04:32:51 CEST 
Sorry, meant to put remove xlockmore-5.38-2.2.mga2.src.rpm from
Mageia 2 Core updates testing.
Comment 12 Nicolas Vigier 2013-07-21 12:05:37 CEST 
http://advisories.mageia.org/MGASA-2013-0225.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-07-22 19:36:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560031/

Nicolas Vigier 2014-05-08 18:05:16 CEST

CC: boklm => (none)