Bug 12042

Summary: x11-server new security issue CVE-2013-6424
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, thierry.vignaud, tmb, wilcal.int, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/577554/
Whiteboard: advisory mga3-64-OK mga3-32-OK
Source RPM: x11-server CVE:
Status comment:

Description David Walser 2013-12-18 18:55:45 CET 
Debian has issued an advisory today (December 18):
http://lists.debian.org/debian-security-announce/2013/msg00236.html

I previously mentioned this issue in Bug 11874:
https://bugs.mageia.org/show_bug.cgi?id=11874#c1

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-18 18:56:05 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-12-18 20:12:36 CET

URL: (none) => http://lwn.net/Vulnerabilities/577554/

David Walser 2013-12-20 23:25:48 CET

Blocks: (none) => 11726

Comment 2 Thierry Vignaud 2013-12-26 20:47:45 CET 
Why not...
Go ahead
Comment 3 David Walser 2013-12-27 14:32:33 CET 
Thanks Thierry!

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated x11-server packages fixes security vulnerability:

Bryan Quigley discovered an integer underflow in the Xorg X server which could
lead to denial of service or the execution of arbitrary code (CVE-2013-6424).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6424
http://www.debian.org/security/2013/dsa-2822
========================

Updated packages in core/updates_testing:
========================
x11-server-1.13.4-2.3.mga3
x11-server-devel-1.13.4-2.3.mga3
x11-server-common-1.13.4-2.3.mga3
x11-server-xorg-1.13.4-2.3.mga3
x11-server-xdmx-1.13.4-2.3.mga3
x11-server-xnest-1.13.4-2.3.mga3
x11-server-xvfb-1.13.4-2.3.mga3
x11-server-xephyr-1.13.4-2.3.mga3
x11-server-xfake-1.13.4-2.3.mga3
x11-server-xfbdev-1.13.4-2.3.mga3
x11-server-source-1.13.4-2.3.mga3

from x11-server-1.13.4-2.3.mga3.src.rpm

CC: (none) => thierry.vignaud
Version: Cauldron => 3
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA3TOO => (none)

David Walser 2013-12-27 14:49:50 CET

Blocks: 11726 => (none)

Dave Hodgins 2014-01-02 18:30:14 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 William Kenney 2014-01-03 16:56:12 CET 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
x11-server

start with default installed x11-server

[root@localhost wilcal]# urpmi x11-server
Package x11-server-1.13.4-2.2.mga3.i586 is already installed

All seems fine

install x11-server from updates_testing

Restart x

[root@localhost wilcal]# urpmi x11-server
Package x11-server-1.13.4-2.3.mga3.i586 is already installed

All seems fine


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int

Comment 5 William Kenney 2014-01-03 16:56:48 CET 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
x11-server

start with default installed x11-server

[root@localhost wilcal]# urpmi x11-server
Package x11-server-1.13.4-2.2.mga3.x86_64 is already installed

All seems fine

install x11-server from updates_testing

Restart x

[root@localhost wilcal]# urpmi x11-server
Package x11-server-1.13.4-2.3.mga3.x86_64 is already installed

All seems fine


Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 6 Bill Wilkinson 2014-01-04 03:01:38 CET 
Tested mga3-64 on real hardware, installed x11-server-common and x11-server-xorg, no regressions found.

CC: (none) => wrw105

David Walser 2014-01-09 21:36:02 CET

Severity: normal => major

Comment 7 Bill Wilkinson 2014-01-19 01:49:56 CET 
Tested mga3-32 on real hardware. installed x11-server-common and x11-server-xorg, no regressions noted.

Will validate with libxfont shortly.

Whiteboard: advisory => advisory mga3-64-OK mga3-32-OK

Comment 8 claire robinson 2014-01-20 09:08:30 CET 
Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-01-21 17:36:49 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0016.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED