Bug 14767

Summary: x11-server new security issues CVE-2014-809[1-9] and CVE-2014-810[0-3]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, olchal, rverschelde, sysadmin-bugs, thierry.vignaud, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/625511/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Source RPM: x11-server-1.16.2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-12-09 19:25:58 CET 
Upstream has issued an advisory today (December 9):
http://openwall.com/lists/oss-security/2014/12/09/18
http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

A link to patches is provided on the upstream advisory now, and it says it will post links to git commits later.  The issue will also be fixed in 1.16.3.

Mageia 4 is also affected by all of these issues except for CVE-2014-8103.

Mageia does have the -nolisten tcp mitigation in place by default.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-09 19:26:05 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-12-09 22:57:33 CET 
git commit links have been posted to the upstream advisory:
http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

A 1.16.3 RC (1.16.2.901) is available with the fixes, according to:
http://openwall.com/lists/oss-security/2014/12/09/29
Comment 2 David Walser 2014-12-10 18:13:45 CET 
Ubuntu has issued advisories for this on December 9:
http://www.ubuntu.com/usn/usn-2436-1/
http://www.ubuntu.com/usn/usn-2436-2/
David Walser 2014-12-10 19:07:20 CET

URL: (none) => http://lwn.net/Vulnerabilities/625511/

Comment 3 David Walser 2014-12-12 18:40:05 CET 
RedHat has issued an advisory for this on December 11:
https://rhn.redhat.com/errata/RHSA-2014-1983.html
Comment 4 David Walser 2014-12-13 22:18:24 CET 
Thierry has requested a freeze push for Cauldron.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated x11-server packages fix security vulnerabilities:

Ilja van Sprundel of IOActive discovered several security issues in the X.org
X server, which may lead to privilege escalation or denial of service
(CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095,
CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100,
CVE-2014-8101, CVE-2014-8102).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
https://www.debian.org/security/2014/dsa-3095
========================

Updated packages in core/updates_testing:
========================
x11-server-1.14.5-2.1.mga4
x11-server-devel-1.14.5-2.1.mga4
x11-server-common-1.14.5-2.1.mga4
x11-server-xorg-1.14.5-2.1.mga4
x11-server-xdmx-1.14.5-2.1.mga4
x11-server-xnest-1.14.5-2.1.mga4
x11-server-xvfb-1.14.5-2.1.mga4
x11-server-xephyr-1.14.5-2.1.mga4
x11-server-xfake-1.14.5-2.1.mga4
x11-server-xfbdev-1.14.5-2.1.mga4
x11-server-source-1.14.5-2.1.mga4

from x11-server-1.14.5-2.1.mga4.src.rpm

CC: (none) => thierry.vignaud
Version: Cauldron => 4
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA4TOO => (none)
Severity: normal => critical

Comment 5 olivier charles 2014-12-14 11:23:25 CET 
Testing on Mageia4x64, nvidia750 gtx, kde desktop.

From 
x11-server-xorg-1.14.5-2.mga4
x11-server-common-1.14.5-2.mga4

To 
x11-server-xorg-1.14.5-2.1.mga4
x11-server-common-1.14.5-2.1.mga4

$ xdpyinfo
name of display:    :0
version number:    11.0
vendor string:    The X.Org Foundation
vendor release number:    11405000
X.Org version: 1.14.5

Ran 3 text with X11perf which gave equivalent results

CC: (none) => olchal

Comment 6 Herman Viaene 2014-12-15 11:20:42 CET 
MGA4-64 on HP Probook 6555b with AMD Mobility Radeon HD 4225/4250
Rebooted after installation.
No remarks, all seems to work OK, same info on xdpyinfo as above.

CC: (none) => herman.viaene

Comment 7 William Kenney 2014-12-15 17:27:40 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
x11-server-common x11-server-xorg

default install of x11-server-common & x11-server-xorg

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.14.5-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.14.5-2.mga4.i586 is already installed

KDE desktop and various apps work fine

install x11-server-common & x11-server-xorg from updates_testing

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.14.5-2.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.14.5-2.1.mga4.i586 is already installed

KDE desktop and various apps work fine

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 8 William Kenney 2014-12-15 17:38:30 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
x11-server-common x11-server-xorg

default install of x11-server-common & x11-server-xorg

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.14.5-2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.14.5-2.mga4.x86_64 is already installed

KDE desktop and various apps work fine

install x11-server-common & x11-server-xorg from updates_testing

[root@localhost wilcal]# urpmi x11-server-common
Package x11-server-common-1.14.5-2.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-server-xorg
Package x11-server-xorg-1.14.5-2.1.mga4.x86_64 is already installed

KDE desktop and various apps work fine

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 9 David Walser 2014-12-15 21:57:18 CET 
Adding the OKs from William and Olivier's testing.  This can be validated.

Whiteboard: (none) => MGA4-32-OK MGA4-64-OK

Comment 10 William Kenney 2014-12-15 22:04:56 CET 
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 RĂ©mi Verschelde 2014-12-16 20:53:54 CET 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Comment 12 Mageia Robot 2014-12-19 16:07:16 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0532.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED