Bug 29767

Summary: x11-server, x11-server-xwayland new security issues CVE-2021-400[89] and CVE-2021-401[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fri, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: x11-server-1.20.12-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-12-14 22:16:42 CET 
Upstream has issued an advisory today (December 14):
https://lists.x.org/archives/xorg-announce/2021-December/003122.html

The issues are fixed upstream in x11-server 21.1.2 (not yet released) and XWayland 21.1.4:
https://lists.x.org/archives/xorg-announce/2021-December/003123.html

Mageia 8 is also affected.
David Walser 2021-12-14 22:17:02 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 21.1.2 and 21.1.4

Comment 1 David Walser 2021-12-14 22:39:17 CET 
Ubuntu has issued an advisory for this today (December 14):
https://ubuntu.com/security/notices/USN-5193-1

Severity: normal => major

Comment 2 David Walser 2021-12-16 19:23:21 CET 
x11-server 21.1.2 and 1.20.14 have been released, fixing this:
https://lists.x.org/archives/xorg-announce/2021-December/003125.html
https://lists.x.org/archives/xorg-announce/2021-December/003124.html

tmb has updated Cauldron (not xwayland yet though).
Comment 3 Thomas Backlund 2021-12-16 19:28:12 CET 
Name        : x11-server-xwayland          Relocations: (not relocatable)
Version     : 21.1.4                            Vendor: Mageia.Org
Release     : 1.mga9                        Build Date: Tue 14 Dec 2021 10:06:10 PM CET
Comment 4 David Walser 2021-12-16 19:54:36 CET 
(In reply to Thomas Backlund from comment #3)
> Name        : x11-server-xwayland          Relocations: (not relocatable)
> Version     : 21.1.4                            Vendor: Mageia.Org
> Release     : 1.mga9                        Build Date: Tue 14 Dec 2021
> 10:06:10 PM CET

O_O.  I don't see that on pkgsubmit, but I do see it on the mirrors.  How'd that happen?

Status comment: Fixed upstream in 21.1.2 and 21.1.4 => Fixed upstream in xorg server 1.20.14 and 21.1.2 and xwayland 21.1.4
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 5 David Walser 2021-12-16 19:59:03 CET 
xwayland isn't a separate SRPM on Mageia 8.

xorg server 1.20.14 uploaded for Mageia 8 by tmb.

x11-server-source-1.20.14-1.mga8
x11-server-xorg-1.20.14-1.mga8
x11-server-xephyr-1.20.14-1.mga8
x11-server-xwayland-1.20.14-1.mga8
x11-server-xdmx-1.20.14-1.mga8
x11-server-xvfb-1.20.14-1.mga8
x11-server-xnest-1.20.14-1.mga8
x11-server-1.20.14-1.mga8
x11-server-common-1.20.14-1.mga8
x11-server-devel-1.20.14-1.mga8

from x11-server-1.20.14-1.mga8.src.rpm

Source RPM: x11-server-21.1.1-4.mga9.src.rpm, x11-server-xwayland-21.1.3-1.mga9.src.rpm => x11-server-1.20.12-1.mga8.src.rpm
Status comment: Fixed upstream in xorg server 1.20.14 and 21.1.2 and xwayland 21.1.4 => (none)

Thomas Backlund 2021-12-16 20:15:26 CET

Assignee: tmb => qa-bugs

Comment 6 Herman Viaene 2021-12-17 14:30:24 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Rebooted after installation, runniing now for 3 hours, no ill effects noted.
Note: I didn't search very throruohgly, bt I found not an easy way to configure the system to runn wayland.

CC: (none) => herman.viaene

Comment 7 Thomas Backlund 2021-12-18 18:56:18 CET 
 Advisory, added to svn:

type: security
subject: Updated x11-server packages fix security vulnerabilities
CVE:
 - CVE-2021-4008
 - CVE-2021-4009
 - CVE-2021-4010
 - CVE-2021-4011
src:
  8:
   core:
     - x11-server-1.20.14-1.mga8
description: |
  Updated x11-server packages fix security vulnerabilities:

  The handler for the CompositeGlyphs request of the Render extension does
  not properly validate the request length leading to out of bounds memory
  write (CVE-2021-4008).

  The handler for the CreatePointerBarrier request of the XFixes extension
  does not properly validate the request length leading to out of bounds
  memory write (CVE-2021-4009).

  The handler for the Suspend request of the Screen Saver extension does
  not properly validate the request length leading to out of bounds memory
  write (CVE-2021-4010).

  The handlers for the RecordCreateContext and RecordRegisterClients
  requests of the Record extension do not properly validate the request
  length leading to out of bounds memory write (CVE-2021-4011).

  All of these issues can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for
  ssh X forwarding sessions.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29767
 - https://lists.x.org/archives/xorg-announce/2021-December/003124.html

Keywords: (none) => advisory

Comment 8 Morgan Leijström 2021-12-18 23:10:29 CET 
OK here mga8-64, Plasma, Nvidia-current, 4k screen

Tested together with kernel-desktop-5.15.6-2, then with added updates of the mesa libdrm Bug 29782, and then also with kernel updated to kernel-desktop-5.15.10-1.

Normal desktop apps, videos in browser, VirtualBox with MSW7 client.

Not tested: wayland

CC: (none) => fri

Comment 10 Thomas Backlund 2021-12-19 19:25:09 CET 
Running Gnome on Wayland here for the last ~2,5 days without issues...
Thomas Backlund 2021-12-21 23:42:16 CET

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2021-12-22 00:28:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0573.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED