Bug 28940

Assigning to committer.

Assignee: bugsquad => pkg-bugs
CC: (none) => ouaurelien, thierry.vignaud
CVE: (none) => CVE-2021-31535

pushed in to mga 7/8/9

src:
    - libx11-1.6.12-1.1.mga7
    - libx11-1.7.0-1.1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => mageia
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.7.1 => (none)

mga8, x64

Waiting for the package list but in the meantime followed up the link https://www.openwall.com/lists/oss-security/2021/05/18/3.
There is an example of an exploit at:
https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/

Before update:
$ chmod +x enjoy-all-the-colors.py
$ xhost -
access control enabled, only authorized clients can connect
$ xterm -e ./enjoy-all-the-colors.py
xterm: warning, error event received:
X Error of failed request:  BadFont (invalid Font parameter)
  Major opcode of failed request:  48 (X_QueryTextExtents)
  Resource id in failed request:  0x54545454
  Serial number of failed request:  579
  Current serial number in output stream:  579
$ xhost
access control disabled, clients can connect from any host
INET:localhost
SI:localuser:root
SI:localuser:lcl

CC: (none) => tarazed25

Just testing it works: Mga8-64 OK,
Everything updated to testing;  i.e also the mesa and libdrm Bug 28949  

And here:
- lib64x11-xcb1-1.7.0-1.1.mga8.x86_64
- lib64x11_6-1.7.0-1.1.mga8.x86_64

Hardware: My workstation "svarten": Mainboard: Sabertooth P67, CPU: i7-3770, RAM 16G, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.

CC: (none) => fri

$ inxi -SGxx
System:    Host: mageia.local Kernel: 5.10.37-desktop-2.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 
           Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 
Graphics:  Device-1: NVIDIA TU116 [GeForce GTX 1660 Ti] vendor: Gigabyte driver: nvidia v: 460.80 bus ID: 01:00.0 
           chip ID: 10de:2182 
           Display: x11 server: Mageia X.org 1.20.11 compositor: kwin_x11 driver: modesetting,nvidia,v4l resolution: 
           1: 1920x1080~60Hz 2: 1920x1080 s-dpi: 80 
           OpenGL: renderer: GeForce GTX 1660 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 460.80 direct render: Yes

$ rpm -qa --last
libx11-common-1.7.0-1.1.mga8.x86_64           jeu. 20 mai 2021 15:51:53
lib64x11-xcb1-1.7.0-1.1.mga8.x86_64           jeu. 20 mai 2021 15:51:52
lib64x11_6-1.7.0-1.1.mga8.x86_64              jeu. 20 mai 2021 15:51:52

This is updated OK.

MGA8-64-OK for me.

For packages list:
Hum, http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28940
reports about Mageia 7 SRPM... strange.

libx11_6-1.6.12-1.1.mga7
libx11-xcb1-1.6.12-1.1.mga7
libx11-devel-1.6.12-1.1.mga7
libx11-common-1.6.12-1.1.mga7
libx11-doc-1.6.12-1.1.mga7
libx11_6-1.7.0-1.1.mga8
libx11-common-1.7.0-1.1.mga8
libx11-devel-1.7.0-1.1.mga8
libx11-xcb1-1.7.0-1.1.mga8
libx11-doc-1.7.0-1.1.mga8

mga7, x64

Before update:
lib64x11_6-1.6.12-1.mga7
lib64x11-xcb1-1.6.12-1.mga7
lib64x11-devel-1.6.12-1.mga7
libx11-common-1.6.12-1.mga7
libx11-doc-1.6.12-1.mga7

PoC test, referenced in comment 3.
$ xhost -
access control enabled, only authorized clients can connect
$ xterm -e ./enjoy-all-the-colors.py
xterm: cannot load font "-Misc-Fixed-medium-R-*-*-15-140-75-75-C-180-ISO10646-1"
xterm: warning, error event received:
X Error of failed request:  BadFont (invalid Font parameter)
  Major opcode of failed request:  48 (X_QueryTextExtents)
  Resource id in failed request:  0x54545454
  Serial number of failed request:  563
  Current serial number in output stream:  563

This launched an xterm with a blue background and then crashed.
$ xhost
access control disabled, clients can connect from any host
INET:localhost
SI:localuser:lcl

Updated the packages.
poctest:
$ xhost -
access control enabled, only authorized clients can connect
$ xterm -e ./enjoy-all-the-colors.py
xterm: cannot load font "-Misc-Fixed-medium-R-*-*-15-140-75-75-C-180-ISO10646-1"
$ xhost
access control enabled, only authorized clients can connect
INET:localhost
SI:localuser:lcl

That confirms that the software is no longer vulnerable.

`urpmq --whatrequires` lists over 1000 dependent packages and applications.

$ xsysinfo -swap
Graphical display of the varying load on the CPUs and after a while a load average.
Used xplayer to view some videos.
Ran a themed vlc under strace.
$ grep X11 vlc.trace
openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 12

Installed bitmap and ran it for a while, drawing simple figures and saving as a file.  The trace did not show libx11 being used but libXt was opened successfully and that is one of the items in the dependency list.
$ grep X11 bitmap.trace
openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 3
Also libXt was opened successfully and that is one of the items in the dependency list.
$ grep Xt bitmap.trace
openat(AT_FDCWD, "/lib64/libXt.so.6", O_RDONLY|O_CLOEXEC) = 3
recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\6\0\0\4\6Xt\24\3

Ran glxgears under strace and that checks out.
$ grep X11 mesa.trace
openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 3
[...]
openat(AT_FDCWD, "/usr/lib64/libX11.so.6.3.0", O_RDONLY) = 4
openat(AT_FDCWD, "/lib64/libX11-xcb.so.1", O_RDONLY|O_CLOEXEC) = 4

This all looks good.

Just to finish this off for mga8.
poctest:
$ xhost -
access control enabled, only authorized clients can connect
$ xterm -e ./enjoy-all-the-colors.py
$ xhost
access control enabled, only authorized clients can connect
INET:localhost
SI:localuser:root
SI:localuser:lcl

Fix was successful.

(In reply to David Walser from comment #6)
> libx11_6-1.6.12-1.1.mga7
> libx11-xcb1-1.6.12-1.1.mga7
> libx11-devel-1.6.12-1.1.mga7
> libx11-common-1.6.12-1.1.mga7
> libx11-doc-1.6.12-1.1.mga7
> libx11_6-1.7.0-1.1.mga8
> libx11-common-1.7.0-1.1.mga8
> libx11-devel-1.7.0-1.1.mga8
> libx11-xcb1-1.7.0-1.1.mga8
> libx11-doc-1.7.0-1.1.mga8

For my own information, how you obtain such list?
I knew about http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28940
Do you have a better method, please share me? ;)

I load the build logs from http://pkgsubmit.mageia.org/ and jump to the end where it outputs the built RPMs, and run:
awk -F/ '{print $NF}' - | awk -F. 'BEGIN{OFS="."}{NF=NF-2;print}' -

in a terminal and paste in the list (then hit Ctrl-D) and it gives me what I want.  For mga8 I have to manually filter out the *debug* ones since it's not sorting them correctly (those should be at the end).

Advisory:
========================

Updated libx11 packages fix a security vulnerability:

XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server (CVE-2021-31535).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28940
 - https://lists.x.org/archives/xorg-announce/2021-May/003088.html
 - https://lists.x.org/archives/xorg-announce/2021-May/003089.html
 - https://www.openwall.com/lists/oss-security/2021/05/18/3
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)x11_6-1.6.12-1.1.mga7
lib(64)x11-xcb1-1.6.12-1.1.mga7
lib(64)x11-devel-1.6.12-1.1.mga7
lib(64)x11-common-1.6.12-1.1.mga7
lib(64)x11-doc-1.6.12-1.1.mga7

from SRPM:
libx11-1.6.12-1.1.mga7

========================

Updated packages in 8/core/updates_testing:
========================
lib(64)x11_6-1.7.0-1.1.mga8
lib(64)x11-common-1.7.0-1.1.mga8
lib(64)x11-devel-1.7.0-1.1.mga8
lib(64)x11-xcb1-1.7.0-1.1.mga8
lib(64)x11-doc-1.7.0-1.1.mga8

from SRPM:
libx11-1.7.0-1.1.mga8

(In reply to David Walser from comment #10)
> I load the build logs from http://pkgsubmit.mageia.org/ and jump to the end
> where it outputs the built RPMs, and run:
> awk -F/ '{print $NF}' - | awk -F. 'BEGIN{OFS="."}{NF=NF-2;print}' -
> 
> in a terminal and paste in the list (then hit Ctrl-D) and it gives me what I
> want.  For mga8 I have to manually filter out the *debug* ones since it's
> not sorting them correctly (those should be at the end).

Thanks!
Writing this in my head ;)

Another option is using urpmf, such as
$ urpmf --sourcerpm --media "Core Updates Testing" libx11
lib64x11-xcb1:libx11-1.7.0-1.1.mga8.src.rpm
lib64x11-devel:libx11-1.7.0-1.1.mga8.src.rpm
lib64x11_6:libx11-1.7.0-1.1.mga8.src.rpm
libx11-doc:libx11-1.7.0-1.1.mga8.src.rpm
libx11-common:libx11-1.7.0-1.1.mga8.src.rpm
$ urpmf --sourcerpm --media "Core 32bit Updates Testing" libx11
libx11-xcb1:libx11-1.7.0-1.1.mga8.src.rpm
libx11-common:libx11-1.7.0-1.1.mga8.src.rpm
libx11-devel:libx11-1.7.0-1.1.mga8.src.rpm
libx11_6:libx11-1.7.0-1.1.mga8.src.rpm
libx11-doc:libx11-1.7.0-1.1.mga8.src.rpm

CC: (none) => davidwhodgins

Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0219.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Debian has issued an advisory for this on May 24:
https://www.debian.org/security/2021/dsa-4920