| Summary: | libX11 new security issues CVE-2023-4378[5-7] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK | ||
| Source RPM: | libx11-1.8.6-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-10-09 15:57:03 CEST
Nicolas Salguero
2023-10-09 15:57:49 CEST
CC:
(none) =>
nicolas.salguero Assigning globally as no one packager is in evidence for this pkg. Status comment:
(none) =>
Fixed by libX11 1.8.7 and libXpm 3.5.17 Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system. (CVE-2023-43785) A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. (CVE-2023-43786) A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges. (CVE-2023-43787) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43787 https://www.openwall.com/lists/oss-security/2023/10/03/1 ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)x11_6-1.8.6-1.1.mga9 lib(64)x11-devel-1.8.6-1.1.mga9 lib(64)x11-xcb1-1.8.6-1.1.mga9 libx11-common-1.8.6-1.1.mga9 libx11-doc-1.8.6-1.1.mga9 from SRPM: libx11-1.8.6-1.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)x11_6-1.7.0-1.5.mga8 lib(64)x11-devel-1.7.0-1.5.mga8 lib(64)x11-xcb1-1.7.0-1.5.mga8 libx11-common-1.7.0-1.5.mga8 libx11-doc-1.7.0-1.5.mga8 from SRPM: libx11-1.7.0-1.5.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs
PC LX
2023-10-11 12:57:43 CEST
CC:
(none) =>
mageia Advisory from comment 2 uploaded, please remove the advisory keyword if it needs to be changed. CC:
(none) =>
marja11 MGA9 Plasma on an HP Pavilion 15. No installation issues. Using bug 32015 comment 2 as a guide, tried several calls of zenity with various options, with no issues. No issues with the desktop, either. Whiteboard:
MGA8TOO =>
MGA8TOO MGA9-64-OK MGA8-64 Plasma on the same hardware as comment 4. Same tests, same results. In addition, looking at some of the other packages that require lib64x11_6, I see things like Firefox, which I am using now to write this. Giving this an OK for MGA8, and validating. CC:
(none) =>
sysadmin-bugs Tested on 32-bit hardware for both releases, as well. Both OK. Whiteboard:
MGA8TOO MGA9-64-OK MGA8-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0287.html Status:
ASSIGNED =>
RESOLVED |