| Summary: | x11-server new security issue CVE-2018-14665 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | brtians1, davidwhodgins, fri, jim, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | x11-server-1.19.5-1.1.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Screenshot of plasma panel | ||
|
Description
David Walser
2018-10-26 01:40:13 CEST
Created attachment 10427 [details]
Screenshot of plasma panel
Issues in quick test on 64 bit, Plasma
a) in tiled desktop mode i moved program windows across screens, and everything froze except for mouse pointer.
Then i switched to a text console (Ctrl-Alt-F2), logged in, and checked journal - but dod not see anything that worried me. When i switched back desktop worked again, but
b) the Plasma panel at screen bottom have weird program text and clock. (see attached)
System: my worstation; 4k screen, nvidia proprietary driver.
Using all updates incl updates_testing, incl kernel desktop 4.14.78-1
I think i have seen a) some week ago so it may be an issue unrelated to this update. But b) i have never seen before.CC:
(none) =>
fri Further testing: I have a bash script that at DE login launches several applications with delay in between. I also have BOINC eating most of my CPU + GPU. It seems that if i let all the applications launch before i go to tiled mode and toss them around to different desktops, everything is OK. But if i go to tiled mode while they are launching, and also launches login popups for mail etc, then display gets frozen except mouse pointer, and if i shift to text screen Ctrl-Alt-F2 and back quickly now, screen got black + mouse hand pointer, and after some seconds desktop appeared, with a system tray popup something like kwin got restarted due to graphics problems. And then now it works OK, no text problems like in c 1. Difference to c 1 is that now i was at text screen only a couple seconds. In short i think this is not a big problem, but the bog gets trigged by the massive CPU and GPU load in combination with dragging windows between desktops in tiled mode on a 4k screen... And it may be some other update at least in combination, as this system is fully updated to updates_testing. I have not seen any other issue in a couple hours time surfing, textedit, video, screengrab. Debian has issued an advisory for this on October 25: https://www.debian.org/security/2018/dsa-4328
Thomas Backlund
2018-10-26 20:20:24 CEST
Priority:
Normal =>
High
Advisory, added to svn:
type: security
subject: Updated x11-server packages fix security vulnerability
CVE:
- CVE-2018-14665
src:
6:
core:
- x11-server-1.19.5-1.2.mga6
description: |
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
check for -modulepath and -logfile options when starting Xorg. X server
allows unprivileged users with the ability to log in to the system via
physical console to escalate their privileges and run arbitrary code under
root privileges (CVE-2018-14665).
references:
- https://bugs.mageia.org/show_bug.cgi?id=23757
- https://www.openwall.com/lists/oss-security/2018/10/25/1Keywords:
(none) =>
advisory I've confirmed on x86_64 that the current x11-server-xorg-1.19.5-1.1.mga6 in updates is vulnerable, and that the upstream fix merged in x11-server-xorg-1.19.5-1.2.mga6 in updates_testing blocks the exploit. Physical Hardware AMD Athlon(tm) II X3 450 Processor GF108 [GeForce GT 730] Desktop: Gnome X.org # uname -a Linux linux.local 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux # urpmi x11-server Package x11-server-1.19.5-1.2.mga6.x86_64 is already installed I've been running this a few hours already, seems to be working as designed. Also took liberty and installed x11-server x11-server-1.19.5-1.2 (even though it wasn't installed before). Installed without issue x86_64 working as designed with nvidia and xorg-Gnome. CC:
(none) =>
brtians1 on mga6-64 plasma
packages installed cleanly:
- x11-server-common-1.19.5-1.2.mga6.x86_64
- x11-server-xorg-1.19.5-1.2.mga6.x86_64
- x11-server-xwayland-1.19.5-1.2.mga6.x86_64
no regressions noted
I do not play games or use plasma's desktop effects
OK for me on mga6-64 on this system:
Graphics: Card: Intel HD Graphics 530
Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: 1920x1080@60.00hz
GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.3.9
Updated packages also OK on mga6-64 and mga6-32 vbox clients, both using plasmaCC:
(none) =>
jim Working ok on my systems. No others have reported problems, so validating. Whiteboard:
(none) =>
MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0421.html Status:
NEW =>
RESOLVED |