| Summary: | x11-server new security issues CVE-2017-13721 and CVE-2017-13723 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, mageia, sysadmin-bugs, tarazed25, tmb, wilcal.int |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK MGA6-32-OK | ||
| Source RPM: | x11-server-1.19.3-3.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-10-07 17:55:05 CEST
(In reply to David Walser from comment #0) > Upstream has announced two security issues fixed upstream: > http://openwall.com/lists/oss-security/2017/10/04/10 > > The issues are fixed in 1.19.4. > > I don't know if Mageia 5 is affected. > It is, I've just pushed a x11-server-1.16.4-2.3.mga5 to the buildsystem Advisory: ======================== Updated x11-server packages fix security vulnerabilities: In Xext/shm, the shmseg resource id can belong to a non-existing client and abort X server with FatalError "client not in use", or overwrite existing segment of another existing client (CVE-2017-13721). Generating strings for XKB data used a single shared static buffer, which offered several opportunities for errors when strings end up longer than anticipated (CVE-2017-13723). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13723 http://openwall.com/lists/oss-security/2017/10/04/10 ======================== Updated packages in core/updates_testing: ======================== x11-server-1.16.4-2.3.mga5 x11-server-devel-1.16.4-2.3.mga5 x11-server-common-1.16.4-2.3.mga5 x11-server-xorg-1.16.4-2.3.mga5 x11-server-xdmx-1.16.4-2.3.mga5 x11-server-xwayland-1.16.4-2.3.mga5 x11-server-xnest-1.16.4-2.3.mga5 x11-server-xvfb-1.16.4-2.3.mga5 x11-server-xephyr-1.16.4-2.3.mga5 x11-server-xfake-1.16.4-2.3.mga5 x11-server-xfbdev-1.16.4-2.3.mga5 x11-server-source-1.16.4-2.3.mga5 x11-server-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xfbdev-1.19.4-1.mga6 x11-server-xwayland-1.19.4-1.mga6 x11-server-devel-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 from SRPMS: x11-server-1.16.4-2.3.mga5.src.rpm x11-server-1.19.4-1.mga6.src.rpm Whiteboard:
(none) =>
MGA5TOO Tested on mga6 for x86_64 Installed all the extra packages before updating. Logged out and in. Ran the updates. Logged out and in. $ rpm -qa | grep x11-server x11-server-devel-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 x11-server-1.19.4-1.mga6 x11-server-xfbdev-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-xwayland-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 Various applications all working OK. ssh login to another machine on the LAN. Tried out graphics applications. Played HD and DVD videos across the network with vlc. They stuttered a bit but ran OK. There was a problem logging out. Had to use Ctrl-C to kill the connection. That problem did not reappear when the same test was performed later with mplayer. Remote ssh login again. Other graphics applications closed down cleanly. A network share application worked fine from the other machine and the local machine. exit worked fine that time. This update is fine for 64-bits. CC:
(none) =>
tarazed25
Len Lawrence
2017-10-08 10:03:38 CEST
Whiteboard:
MGA5TOO =>
MGA5TOO MGA6-64-OK Testing on mga5 for x86_64 nvidia driver 384.59 Installed missing packages before the update. Ran the updates. - x11-server-1.16.4-2.3.mga5.x86_64 - x11-server-common-1.16.4-2.3.mga5.x86_64 - x11-server-xdmx-1.16.4-2.3.mga5.x86_64 - x11-server-xephyr-1.16.4-2.3.mga5.x86_64 - x11-server-xfake-1.16.4-2.3.mga5.x86_64 - x11-server-xfbdev-1.16.4-2.3.mga5.x86_64 - x11-server-xnest-1.16.4-2.3.mga5.x86_64 - x11-server-xorg-1.16.4-2.3.mga5.x86_64 - x11-server-xvfb-1.16.4-2.3.mga5.x86_64 - x11-server-xwayland-1.16.4-2.3.mga5.x86_64 Logged out and in. Ran various desktop applications; firefox, gkrellm, mcc, vlc and mplayer to play videos, local ruby-tk scripts to display custom-made guis. Everything working fine. Network share guis working OK. Remote login to a workstation on the LAN. Repeated some of the tests. No problems.
Len Lawrence
2017-10-08 11:05:37 CEST
Whiteboard:
MGA5TOO MGA6-64-OK =>
MGA5TOO MGA6-64-OK MGA5-64-OK
Lewis Smith
2017-10-08 11:18:14 CEST
Keywords:
(none) =>
advisory Installed and tested without issues. Have been using the update for several hours, multiple concurrent sessions, bunch of programs, including OpenGL without issues. System: Mageia 5, x86_64, Plasma DE, Intel CPU, nVidia GPU with proprietary driver nvidia340. $ uname -a Linux marte 4.4.89-desktop-1.mga5 #1 SMP Wed Sep 27 16:25:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server x11-server-xorg-1.16.4-2.3.mga5 x11-server-common-1.16.4-2.3.mga5 CC:
(none) =>
mageia In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.2.mga5.i586 is already installed Screen sizes are correct, display is normal, common apps work. install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.3.mga5.i586 is already installed Screen sizes are correct, display is normal, common apps work. CC:
(none) =>
wilcal.int
William Kenney
2017-10-08 20:27:37 CEST
Whiteboard:
MGA5TOO MGA6-64-OK MGA5-64-OK =>
MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK I agree with Lewis that this needs testing on a 32-bit architecture. All I have is vboxes but shall give it a run. The other concern is to run xwaland which means testing under GNOME. I might add that to the 64-bit tests later. Installed these on mga6::i586 in virtualbox: x11-server-xwayland-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-devel-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 Logged out and in. MageiaWelcome came up. Invoked terminals and mcc. Firefox running OK. Watched an MKV clip from the host machine via a network share. Ran mplayer to watch the start of an mp4 film on the virtual disk. Set gkrellm running. Remote login on the LAN - ran gqview to view images. Watched a bit of Forbidden Planet using vlc. Keyboard events were transmitted across the network but took a bit of time to take effect - that was to stop the film. This looks OK but only the network probes are dealing with real hardware.
Len Lawrence
2017-10-08 20:29:42 CEST
Whiteboard:
MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK =>
MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK MGA6-32-OK This is good to go. Len you've got the honours. Right-ho Bill - thanks. Validating.
Len Lawrence
2017-10-08 21:20:50 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0366.html Status:
NEW =>
RESOLVED |