| Summary: | x11-server new security issue CVE-2015-3164 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, mageia, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/648969/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | x11-server-1.16.4-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-22 22:42:10 CEST
I've applied the patches from SuSE's bug and submitted it into 5/core/updates_testing SRPM: x11-server-1.16.4-2.1.mga5.src.rpm RPMs: x11-server-xwayland-1.16.4-2.1.mga5 x11-server-xvfb-1.16.4-2.1.mga5 x11-server-xorg-1.16.4-2.1.mga5 x11-server-xnest-1.16.4-2.1.mga5 x11-server-xfbdev-1.16.4-2.1.mga5 x11-server-xfake-1.16.4-2.1.mga5 x11-server-xephyr-1.16.4-2.1.mga5 x11-server-xdmx-1.16.4-2.1.mga5 x11-server-devel-1.16.4-2.1.mga5 x11-server-common-1.16.4-2.1.mga5 x11-server-1.16.4-2.1.mga5 x11-server-source-1.16.4-2.1.mga5.noarch Thanks Sander! Advisory: ======================== Updated x11-server packages fix security vulnerability: The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket (CVE-2015-3164). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3164 http://lists.x.org/archives/xorg-announce/2015-June/002611.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00044.html Assignee:
thierry.vignaud =>
qa-bugs Testing Mageia 5 x64 real hardware with AMD/ATI/Radeon video Installed directly from Updates Testing x11-server-xwayland because I did not have it, but the X11 update is specifically for that. And updated main X11 to: x11-server-common-1.16.4-2.1.mga5 x11-server-xorg-1.16.4-2.1.mga5 x11-server-xwayland-1.16.4-2.1.mga5 Re-started the X server, and using the resulting system shows nothing untoward. Update deemed OK. CC:
(none) =>
lewyssmith In VirtualBox, M5, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.mga5.i586 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.1.mga5.i586 is already installed KDE desktop and various apps work fine CC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.mga5.x86_64 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.1.mga5.x86_64 is already installed KDE desktop and various apps work fine Testing using Gnome on mga-5-32
rpm -qa | grep x11-server
x11-server-xorg-1.16.4-2.mga5
x11-server-common-1.16.4-2.mga5
Installing from testing:
urpmi --search-media "Core Updates Testing" x11-server-xorg x11-server-common
Marking x11-server-xorg as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
ftp://192.168.0.2//pub/mirror/Mageia/distrib/5/i586/media/core/updates_testing/x11-server-common-1.16.4-2.1.mga5.i586.rpm
ftp://192.168.0.2//pub/mirror/Mageia/distrib/5/i586/media/core/updates_testing/x11-server-xorg-1.16.4-2.1.mga5.i586.rpm
installing x11-server-xorg-1.16.4-2.1.mga5.i586.rpm x11-server-common-1.16.4-2.1.mga5.i586.rpm from /var/cache/urpmi/rpms
After restart logged on to Gnome normally.
Tested several applications including libreoffice and firefox with flash-player.
All seem to be working Ok
OK for mga-5-32
The security issue seems to be related in particular to wayland. What, if anything, actually uses wayland?Whiteboard:
MGA5-64-OK =>
MGA5-64-OK MGA5-32-OK Is it now OK to validate this update? We haven't tested wayland, since none of us seem to use it. (In reply to James Kerr from comment #8) > Is it now OK to validate this update? We haven't tested wayland, since none > of us seem to use it. Yeah, go ahead and validate it. This issue isn't a big deal for us since we don't use wayland. This update is now validated. Would a qa-committer upload the advisory to SVN. The packages can then be pushed to updates. Keywords:
(none) =>
validated_update
RĂ©mi Verschelde
2015-08-21 16:30:40 CEST
Whiteboard:
MGA5-64-OK MGA5-32-OK =>
MGA5-64-OK MGA5-32-OK advisory An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0316.html Status:
NEW =>
RESOLVED |