Bug 32015

Summary: libx11 new security issue CVE-2023-3138
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libx11-1.7.0-1.3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-06-15 22:38:59 CEST 
X.org has issued an advisory today (June 15):
https://lists.x.org/archives/xorg-announce/2023-June/003406.html

The issue is fixed upstream in 1.8.6:
https://lists.x.org/archives/xorg-announce/2023-June/003407.html

Mageia 8 is also affected.
David Walser 2023-06-15 22:39:27 CEST

Status comment: (none) => Fixed upstream in 1.8.6
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-06-16 14:15:07 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Buffer overflows in InitExt.c in libX11 prior to 1.8.6. (CVE-2023-3138)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3138
https://lists.x.org/archives/xorg-announce/2023-June/003406.html
https://lists.x.org/archives/xorg-announce/2023-June/003407.html
========================

Updated packages in core/updates_testing:
========================
lib(64)x11_6-1.7.0-1.4.mga8
lib(64)x11-devel-1.7.0-1.4.mga8
lib(64)x11-xcb1-1.7.0-1.4.mga8
libx11-common-1.7.0-1.4.mga8
libx11-doc-1.7.0-1.4.mga8

from SRPM:
libx11-1.7.0-1.4.mga8.src.rpm

Status comment: Fixed upstream in 1.8.6 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Source RPM: libx11-1.8.4-1.mga9.src.rpm => libx11-1.7.0-1.3.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 2 Len Lawrence 2023-06-19 16:37:28 CEST 
mga8, x86_64
These updated cleanly.
libx11 applications are everywhere.   The list on this system runs to 975 items.
Started an empty session in ardour and logged out - graphics seemed OK.
Ran zenity against the built-in commands; calendar, question, entry, file-selection.  All work as expected. 
Tried xplayer on MP4 and MKV files - audio and video perfect.  Used xviewer to view an image folder.

No regressions noted.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 David Walser 2023-06-20 15:13:33 CEST 
Ubuntu has issued an advisory for this on June 15:
https://ubuntu.com/security/notices/USN-6168-1
Comment 4 Thomas Andrews 2023-06-20 16:36:18 CEST 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:48:18 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-06-28 07:23:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0206.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED