Bug 15856

Summary: x11-server new security issue CVE-2015-3418
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643134/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: x11-server-1.14.5-2.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-05 19:17:15 CEST 
A CVE was assigned for a regression caused by the CVE-2014-8092 fix:
http://openwall.com/lists/oss-security/2015/04/25/4

We fixed CVE-2014-8092 in Bug 14767.

The new fix is already in Cauldron.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

A regression in the fix for CVE-2014-8092 (MGASA-2014-0532) caused another
issue which could lead to a local denial of service (CVE-2015-3418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3418
http://openwall.com/lists/oss-security/2015/04/25/4
========================

Updated packages in core/updates_testing:
========================
x11-server-1.14.5-2.4.mga4
x11-server-devel-1.14.5-2.4.mga4
x11-server-common-1.14.5-2.4.mga4
x11-server-xorg-1.14.5-2.4.mga4
x11-server-xdmx-1.14.5-2.4.mga4
x11-server-xnest-1.14.5-2.4.mga4
x11-server-xvfb-1.14.5-2.4.mga4
x11-server-xephyr-1.14.5-2.4.mga4
x11-server-xfake-1.14.5-2.4.mga4
x11-server-xfbdev-1.14.5-2.4.mga4
x11-server-source-1.14.5-2.4.mga4

from x11-server-1.14.5-2.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-06 01:47:59 CEST 
Working fine Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 2 Lewis Smith 2015-05-06 14:43:22 CEST 
MGA4 x64 real hardware with AMD/ATI/Radeon video.

Having just
 x11-server-1.14.5-2.4.mga4
 x11-server-common-1.14.5-2.4.mga4
and using my system with graphics-oriented applications, nothing untoward noticed.
I would rather see more testers trying this update, but am OKing it anyway.

CC: (none) => lewyssmith
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 3 David Walser 2015-05-06 15:01:20 CEST 
(In reply to Lewis Smith from comment #2)
> I would rather see more testers trying this update, but am OKing it anyway.

It was just a tiny patch (and one that's already in Cauldron).  Should be fine.
Comment 4 claire robinson 2015-05-06 16:19:32 CEST 
Tested OK here too mga4 64. No regression noticed in general use.


Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-05-06 17:16:46 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0196.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED