Bug 23438

Summary: sddm new security issue CVE-2018-14345
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: KDE maintainers <kde>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, mhrambo3501
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: sddm-0.17.0-4.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-13 23:18:45 CEST 
openSUSE has issued an advisory today (August 13):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00084.html

Mageia 6 is also affected.
David Walser 2018-08-13 23:18:57 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:17:41 CEST 
Assigning to the KDE stack maintainers, even if this isn't a KDE package :-p CC'ing the registered maintainer.

CC: (none) => mageia, marja11
Assignee: bugsquad => kde

Comment 2 Mike Rambo 2019-01-16 16:30:11 CET 
The patch linked in the openSUSE report does not apply to either cauldron or mga6. The patch has two parts, one for Display.cpp which does not apply to either version, and the other for PamBackend.cpp which is already applied to both of our versions.

Looks invalid to me.

Resolution: (none) => INVALID
CC: (none) => mrambo
Status: NEW => RESOLVED

Comment 3 David Walser 2019-01-18 21:25:40 CET 
This was fixed upstream in 0.18.0, which Cauldron has been updated to.

The PamBackend.cpp part *does* apply in mga6, but doesn't appear to be directly relevant to the security issue.  The affected code in Display.cpp indeed doesn't exist in 0.14.0 in mga6.

Resolution: INVALID => FIXED
Whiteboard: MGA6TOO => (none)