| Summary: | libxcursor new security issue CVE-2017-16612 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, mageia, marja11, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK MGA6-32-OK | ||
| Source RPM: | libxcursor-1.1.14-6.mga6.src.rpm | CVE: | CVE-2017-16612 |
| Status comment: | |||
|
Description
David Walser
2017-11-30 21:24:05 CET
David Walser
2017-11-30 21:24:10 CET
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: Heap overflows when parsing malicious files. (CVE-2017-16612) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612 https://usn.ubuntu.com/usn/usn-3501-1/ ======================== Updated packages in 5/core/updates_testing: ======================== lib(64)xcursor1-1.1.14-5.1.mga5 lib(64)xcursor-devel-1.1.14-5.1.mga5 from SRPMS: libxcursor-1.1.14-5.1.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== lib(64)xcursor1-1.1.14-6.1.mga6 lib(64)xcursor-devel-1.1.14-6.1.mga6 from SRPMS: libxcursor-1.1.14-6.1.mga6.src.rpm Version:
Cauldron =>
6 Installed an tested without issues. System: Mageia 5, x86_64, Plasma DE, Intel CPU, nVidia GPU with nvidia340 proprietary driver. Since libxcursor is used by kwin and plasma-desktop, to test I simply restarted the Xorg server and session to be certain the new library was loaded and used. Also changed the cursor theme in KDE's systemsettings. No regressions noticed. $ rpm -q lib64xcursor1 lib64xcursor1-1.1.14-5.1.mga5 $ uname -a Linux marte 4.4.103-desktop-1.mga5 #1 SMP Thu Nov 30 12:44:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ urpmq --whatrequires lib64xcursor1 | egrep -v ^lib | sort -u 0ad aseprite chromium-browser-stable fife flash-player-plugin freerdp freshplayerplugin gambas3-gb-sdl gimp godot jogl2 kdebase4-runtime kdebase4-workspace kwin lxqt-config marco mate-control-center metacity mousetweaks muffin openbox plasma-desktop sk1 spectrwm spring virtualbox weston wine64 x11-driver-video-intel xcursorgen xfce4-settings xsetroot CC:
(none) =>
mageia
PC LX
2017-12-01 11:52:11 CET
Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK Mageia 6 on x86_64 - Mate Followed the lead of PC LX, comment 3. Restarted the session and X. Changed the mouse pointer via Mate settings -> Appearance -> Themes -> customize current theme. Tried gimp, which appears in the list in comment 3. $ strace gimp ManDogSun_Hackmann.jpg 2> trace $ cat trace | grep libXcursor open("/lib64/libXcursor.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libXcursor.so.1.0.2", O_RDONLY) = 3 Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32 on Dell Latitude D600 Xfce No installation issues. Followed Comment 4 in Xfce settings and ran gimp, new cursor behaves OK. Whiteboard:
MGA5TOO MGA5-64-OK MGA6-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK Mageia 6 :: i586 in virtualbox Updated the two libraries. Changed the mouse pointer in Mate preferences -> look & feel Restarted the session. Everything running fine. New mouse pointer in use. Good for 32 bits. Whiteboard:
MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK MGA6-32-OK
Len Lawrence
2017-12-04 12:53:03 CET
CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2017-12-05 20:47:45 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0443.html Resolution:
(none) =>
FIXED |