| Summary: | x11-server new security issues CVE-2020-14360 and CVE-2020-25712 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, ouaurelien, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | x11-server-1.20.9-1.mga7.src.rpm | CVE: | CVE-2020-14360, CVE-2020-25712 |
| Status comment: | |||
|
Description
David Walser
2020-12-02 00:32:46 CET
Ubuntu has issued an advisory for this on December 1: https://ubuntu.com/security/notices/USN-4656-1 CC:
(none) =>
thierry.vignaud Fedora has issued an advisory for this today (December 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NULSZT4JH6WPRE73VQI4A42OU32HKTH/ Yeah, I wanted the 1.20.10 to run in cauldron for some days to see if there would be some problems... I think I'll go with 1.20.10 for this fix as there also are other fixes in there... I was going to backport 1.20.10, I'll let you handle it if you're already on top of it (In reply to Thierry Vignaud from comment #4) > I was going to backport 1.20.10, I'll let you handle it if you're already on > top of it Nah, just go ahead if you have time... I have not touched it yet. I still need to find time for a vbox and nvidia-current fixup for Mga7 I've submitted x11-server-1.20.10-1.1.mga7 for it Source RPM:
x11-server-1.20.9-1.mga7.src.rpm =>
x11-server-1.20.10-1.1.mga7 Thanks. The update shouldn't have a subrel though. (it's -2 in mga8 so we'll let it slide this time. PS - don't change the srpm field in bugzilla, it's for the version the bug is reported against, not the version of the update candidate) Source RPM:
x11-server-1.20.10-1.1.mga7 =>
x11-server-1.20.9-1.mga7.src.rpm I prefer to always have subrel in order to be sure next commiter has a chance to do the right thing in wase we need a further fix… :-) "belt and suspenders" Never add subrels when upgrading to new versions. (it's ugly and it often will make the version-release higher than Cauldron) Advisory: ======================== Updated x11-server packages fix security vulnerabilities: A flaw was found in the X.Org Server. An out-of-bounds access in the XkbSetMap function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-14360). A flaw was found in xorg-x11-server. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-25712). The x11-server package has been updated to version 1.20.10, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712 https://lists.x.org/archives/xorg-announce/2020-December/003066.html https://lists.x.org/archives/xorg-announce/2020-December/003067.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NULSZT4JH6WPRE73VQI4A42OU32HKTH/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.20.10-1.1.mga7 x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xnest-1.20.10-1.1.mga7 x11-server-xdmx-1.20.10-1.1.mga7 x11-server-xvfb-1.20.10-1.1.mga7 x11-server-xephyr-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 x11-server-devel-1.20.10-1.1.mga7 x11-server-source-1.20.10-1.1.mga7 from x11-server-1.20.10-1.1.mga7.src.rpm Assignee:
tmb =>
qa-bugs Installed and tested without issues. No issues with desktop applications and 3D applications and games. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GT 1030 GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 $ lspci | grep VGA 04:00.0 VGA compatible controller: NVIDIA Corporation GP108 [GeForce GT 1030] (rev a1) $ cat /proc/driver/nvidia/version NVRM version: NVIDIA UNIX x86_64 Kernel Module 430.64 Sun Oct 27 11:26:12 UTC 2019 GCC version: gcc version 8.4.0 (Mageia 8.4.0-1.mga7) CC:
(none) =>
mageia Installed and tested on a QEMU/KVM guest system. Tested on normal desktop and 3D applications (e.g. glmark2). No issues found. Guest system: Mageia 7, x86_64, LXQt DE, virtio drivers. Host system: see comment 11. $ uname -a Linux marte-vm-mageia-7 5.9.12-desktop-1.mga7 #1 SMP Wed Dec 2 09:05:37 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 $ lspci | grep VGA 00:02.0 VGA compatible controller: Red Hat, Inc. Virtio GPU (rev 01) No issues with 1) M7.1 Plasma under X11-session with nvidia-current drivers. 2) M7.1 Gnome under X11-session with nvidia-current drivers. 3) M7.1 Gnome wayland-session with Intel gfx. xwayland apps (Firefox) are OK. MCC launches very well. Also same under Virtual-Machines. CC:
(none) =>
ouaurelien No issue since two days. Daily usage is OK. SDDM works as usual. See Comment 13. Validating update. Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0456.html Resolution:
(none) =>
FIXED |