| Summary: | libx11 new security issues CVE-2018-1459[89] and CVE-2018-14600 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | marja11, nicolas.salguero, sysadmin-bugs, tarazed25, thierry.vignaud, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | libx11-1.6.5-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-08-22 02:03:21 CEST
David Walser
2018-08-22 02:03:46 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing the de facto maintainer. Assignee:
bugsquad =>
pkg-bugs openSUSE and Ubuntu have issued advisories for this on August 31 and 30: https://lists.opensuse.org/opensuse-updates/2018-08/msg00164.html https://usn.ubuntu.com/3758-1/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). (CVE-2018-14598) An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. (CVE-2018-14599) An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. (CVE-2018-14600) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14600 http://openwall.com/lists/oss-security/2018/08/21/6 https://lists.opensuse.org/opensuse-updates/2018-08/msg00164.html https://usn.ubuntu.com/3758-1/ ======================== Updated packages in core/updates_testing: ======================== lib(64)x11_6-1.6.5-1.1.mga6 lib(64)x11-xcb1-1.6.5-1.1.mga6 lib(64)x11-devel-1.6.5-1.1.mga6 libx11-common-1.6.5-1.1.mga6 libx11-doc-1.6.5-1.1.mga6 from SRPMS: libx11-1.6.5-1.1.mga6.src.rpm Assignee:
pkg-bugs =>
qa-bugs Mageia 6, x86_64
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
Looks like there are no reproducers for these three issues.
Installed the five packages.
All updated cleanly.
$ urpmq --whatrequires lib64x11_6 | sort -u
produces a long list of dependent applications including xterm and xeyes.
xterm and xeyes work fine.
Tried xviewer and a few others.
$ xviewer -s /data/images/asteroids
This started a slideshow of the images in the given directory.
zoom seems to be some kind of game launcher.
xsysinfo displays a graphic along the lines of gkrellm. By default it shows load average and the activity in the CPU cores as 8 separate load bars and a panel for the amount of memory in use. It may be buggy because the no* arguments seem to work but the activate items do not.
$ xsysinfo -swap -noload
Shows loading and RAM use but not swap.
xplayer displays videos OK.
$ strace -o trace xplayer victoria_dem_2_1280.mov
$ cat trace | grep x11 | grep -v 0x11
$
No evidence of libx11. Tried starce on xeyes. Still no libx11.
$ strace -o trace vlc Restless.m2t
$ grep x11 trace
mmap(0x7f44aef0b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f44aef0b000
stat("/usr/lib64/vlc/plugins/video_output/libglconv_vaapi_x11_plugin.so", {st_mode=S_IFREG|0755, st_size=28456, ...}) = 0
stat("/usr/lib64/vlc/plugins/video_output/libxcb_x11_plugin.so", {st_mode=S_IFREG|0755, st_size=19728, ...}) = 0
There is a possible indirect reference to lib64x11-xcb1 there.
$ urpmq --requires-recursive vlc | grep x11
lib64gtk+-x11-2.0_0
lib64qt5x11extras5
lib64x11-xcb1
lib64x11_6
So vlc does require the libraries but we have not shown it actually being used very much. The same is true of the command-line version cvlc.
Opening blender under strace does not supply unequivocal evidence of its use.
We shall just have to assume that the libraries are used at some stage in these applications. They all work without any apparent regressions so this is awarded a tentative OK.Whiteboard:
(none) =>
MGA6-64-OK
Thomas Backlund
2018-09-05 13:12:26 CEST
CC:
(none) =>
tmb
Len Lawrence
2018-09-19 23:21:29 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0377.html Status:
ASSIGNED =>
RESOLVED |