Bug 14857

Summary: xlockmore potential security issue fixed upstream in 5.45
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: eatdirt, herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628115/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: xlockmore-5.43-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-19 23:02:46 CET 
xlockmore 5.45 has been announced on December 2, fixing a potential security issue:
http://calypso.tux.org/pipermail/xlock-announce/2014/000059.html

Freeze push requested for Cauldron for xlockmore 5.45.

The upstream patch is committed in Mageia 4 SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-20 21:32:58 CET 
Patched package uploaded for Mageia 4.

Advisory to come later.  For now, see the upstream reference in Comment 0.

xlockmore-5.43-2.1.mga4
xlockmore-gtk2-5.43-2.1.mga4

from xlockmore-5.43-2.1.mga4.src.rpm

CC: (none) => dirteat
Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2014-12-21 17:28:15 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10799#c1

Whiteboard: (none) => has_procedure

Comment 3 Herman Viaene 2014-12-23 12:10:51 CET 
MGA-64 on HP Probook 6555b
No installation issues
Run xlock at CLI, locks an unlocks nicely.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2014-12-23 12:12:22 CET 
MGA4-32b on Acer D620
No installation issues
Run xlock at CLI, locks an unlocks nicely.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA-32-OK

Comment 5 David Walser 2014-12-23 19:11:50 CET 
Make sure you test the pyro2 screensaver specifically, as that's the one that's affected by this update.
Comment 6 Herman Viaene 2014-12-24 11:23:33 CET 
Tested on both 64 and 32 with CLI command
xlock -mode pyro2
No problems seen.
claire robinson 2014-12-24 11:26:04 CET

Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 7 claire robinson 2014-12-24 11:26:27 CET 
Needs advisory here too please.
Comment 8 Chris Denice 2014-12-24 12:07:39 CET 
here you go (I did not find any CVE number however)


Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.45 contains a security flaw related to a bad value of fnt for pyro2 which could cause an X error. This update backports the fix for version 5.43.

References:
http://calypso.tux.org/pipermail/xlock-announce/2014/000059.html


Updated packages in core/updates_testing:
========================
xlockmore-5.43-2.1.mga4
xlockmore-gtk2-5.43-2.1.mga4

from SRPMS:
xlockmore-5.43-2.1.mga4.src.rpm
Comment 9 claire robinson 2014-12-26 10:55:52 CET 
Thanks Chris

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-12-26 18:06:04 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0554.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-30 17:13:23 CET

URL: (none) => http://lwn.net/Vulnerabilities/628115/