Bug 16983

Summary:	lxdm new possible security issue with starting X server (CVE-2015-8308)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	nicolas.salguero, sysadmin-bugs, tmb, wilcal.int
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/661349/
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Source RPM:	lxdm-0.5.0-3.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2015-10-19 16:47:27 CEST

Fedora has issued an advisory on October 17:
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169437.html

Only the rhbz#1268900 issue possibly affects us, as the other issue is fixed in 0.5.0.  The first issue is fixed upstream in 0.5.2, so we may need to update it.

Reproducible: 

Steps to Reproduce:

David Walser 2015-10-19 18:15:40 CEST

URL: (none) => http://lwn.net/Vulnerabilities/661349/

Comment 1 Nicolas Salguero 2015-10-20 10:00:41 CEST

Hi,

The package lxdm-0.5.0-3.1.mga5 includes the patch that corrects the problem (it is a single commit in LXDM git repository).

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 2 Nicolas Salguero 2015-10-20 10:06:39 CEST

Suggested advisory:
========================

The updated lxdm package fixes a security issue with starting X server.
========================

Updated packages in core/updates_testing:
========================
i586:
lxdm-0.5.0-3.1.mga5.i586.rpm

x86_64:
lxdm-0.5.0-3.1.mga5.x86_64.rpm

Source RPMs:
lxdm-0.5.0-3.1.mga5.src.rpm

Status: NEW => ASSIGNED
Hardware: i586 => All
Assignee: nicolas.salguero => qa-bugs

Comment 3 William Kenney 2015-10-22 19:44:39 CEST

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
lxde lxdm

default install of lxde & lxdm

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.mga5.i586 is already installed

System boots to a working lxde desktop. Common apps work.

install ldxm from updates_testing

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.1.mga5.i586 is already installed

System boots to a working lxde desktop. Common apps work.

CC: (none) => wilcal.int

Comment 4 William Kenney 2015-10-22 19:58:22 CEST

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lxde lxdm

default install of lxde & lxdm

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.mga5.x86_64 is already installed

System boots to a working lxde desktop. Common apps work.

install ldxm from updates_testing

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.1.mga5.x86_64 is already installed

System boots to a working lxde desktop. Common apps work.

William Kenney 2015-10-22 19:58:35 CEST

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2015-10-22 19:59:36 CEST

Anything else we need to look at here David?

Comment 6 David Walser 2015-10-22 20:48:56 CEST

(In reply to William Kenney from comment #5)
> Anything else we need to look at here David?

Yes, check that the X server (process name is /etc/X11/X) in the process list has the -auth argument.

Comment 7 David Walser 2015-10-22 20:51:10 CEST

Also just an advisory note, the RedHat bug should be included as a Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1268900

Comment 8 William Kenney 2015-10-23 01:56:24 CEST

(In reply to David Walser from comment #6)

> Yes, check that the X server (process name is /etc/X11/X) in the process
> list has the -auth argument.

Sorry help me understand how to get that.

[wilcal@localhost ~]$ ps -A
  PID TTY          TIME CMD
    1 ?        00:00:01 systemd
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 ksoftirqd/0
............
 1309 ?        00:00:00 httpd
 1310 ?        00:00:00 httpd
 1320 tty1     00:00:50 X
 1327 ?        00:00:00 kdm
 1342 ?        00:00:00 systemd
 1343 ?        00:00:00 (sd-pam)
 1344 ?        00:00:00 startkde
 1378 ?        00:00:00 gpg-agent
 1413 ?        00:00:00 dbus-launch
 1414 ?        00:00:00 dbus-daemon
 ............

Comment 9 David Walser 2015-10-23 02:43:23 CEST

$ ps ax | grep X
 1629 tty1     Ss+   57:08 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-sWzF8a

Comment 10 Nicolas Salguero 2015-10-23 09:19:48 CEST

With lxdm-0.5.0-3.1.mga5, I have :

$ ps ax | grep X
 1529 tty1     Ssl+   0:09 /etc/X11/X -background none :0 vt01 -nolisten tcp -novtswitch -auth /var/run/lxdm/lxdm-:0.auth

Comment 11 David Walser 2015-10-23 13:38:05 CEST

(In reply to Nicolas Salguero from comment #10)
> With lxdm-0.5.0-3.1.mga5, I have :
> 
> $ ps ax | grep X
>  1529 tty1     Ssl+   0:09 /etc/X11/X -background none :0 vt01 -nolisten tcp
> -novtswitch -auth /var/run/lxdm/lxdm-:0.auth

Looks good.  This can be validated then.

Comment 12 William Kenney 2015-10-23 17:00:05 CEST

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
lxde lxdm

install ldxm from updates_testing

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.1.mga5.i586 is already installed

System boots to a working lxde desktop. Common apps work.

[wilcal@localhost ~]$ ps ax | grep X
 1322 tty1     Ssl+   0:04 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-U1c9fc
 1847 pts/1    S+     0:00 grep --color X

Comment 13 William Kenney 2015-10-23 17:00:24 CEST

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lxde lxdm

install ldxm from updates_testing

[root@localhost wilcal]# urpmi task-lxde
Package task-lxde-3-13.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lxdm
Package lxdm-0.5.0-3.1.mga5.x86_64 is already installed

System boots to a working lxde desktop. Common apps work.

[wilcal@localhost ~]$ ps ax | grep X
 1323 tty1     Ssl+   0:04 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-CJa7wa
 1863 pts/1    S+     0:00 grep --color X

Comment 14 William Kenney 2015-10-23 17:01:20 CEST

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2015-10-25 17:26:19 CET

advisory uploaded

CC: (none) => tmb
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 16 Mageia Robot 2015-10-25 17:35:43 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0411.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 17 David Walser 2015-11-21 01:03:14 CET

This just got assigned CVE-2015-8308:
http://openwall.com/lists/oss-security/2015/11/20/6

Summary: lxdm new possible security issue with starting X server => lxdm new possible security issue with starting X server (CVE-2015-8308)

Comment 18 David Walser 2015-11-21 01:05:06 CET

Nicolas, you should also note the other issue mentioned in that mail.  Apparently, upgrading to 0.5.2 and adding the reset option to lxdm.conf fixes it.

Comment 19 Nicolas Salguero 2015-11-21 13:47:31 CET

The reset option is already active in our package because of bug 14662.  So I think that lxdm-0.5.0-3.1.mga5 corrects the two mentioned problems.