Bug 32453

Summary: x11-server, x11-server-xwayland new security issues CVE-2023-5367, CVE-2023-5380 and CVE-2023-5574
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK
Source RPM: x11-server, x11-server-xwayland CVE:
Status comment:

Description Nicolas Salguero 2023-10-27 12:42:16 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2023/10/25/1

Mageia 8 and 9 are also affected.
Comment 1 Nicolas Salguero 2023-10-27 12:44:28 CEST 
The issues are fixed in x11-server 21.1.9 and x11-server-xwayland 23.2.2.

Source RPM: (none) => x11-server, x11-server-xwayland
Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero

Comment 2 Marja Van Waes 2023-10-29 13:57:58 CET 
Assigning to the registered x11-server and x11-server-xwayland maintainer

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Comment 3 Nicolas Salguero 2023-11-03 13:57:22 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

OOB write in XIChangeDeviceProperty/RRChangeOutputProperty. (CVE-2023-5367)

Use-after-free bug in DestroyWindow. (CVE-2023-5380)

Use-after-free bug in DamageDestroy. (CVE-2023-5574)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5367
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5380
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5574
https://www.openwall.com/lists/oss-security/2023/10/25/1
========================

Updated packages in 9/core/updates_testing:
========================
x11-server-21.1.8-7.1.mga9
x11-server-common-21.1.8-7.1.mga9
x11-server-devel-21.1.8-7.1.mga9
x11-server-source-21.1.8-7.1.mga9
x11-server-xephyr-21.1.8-7.1.mga9
x11-server-xnest-21.1.8-7.1.mga9
x11-server-xorg-21.1.8-7.1.mga9
x11-server-xvfb-21.1.8-7.1.mga9

x11-server-xwayland-22.1.9-1.1.mga9
x11-server-xwayland-devel-22.1.9-1.1.mga9

from SRPMS:
x11-server-21.1.8-7.1.mga9.src.rpm
x11-server-xwayland-22.1.9-1.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
x11-server-1.20.14-4.4.mga8
x11-server-common-1.20.14-4.4.mga8
x11-server-devel-1.20.14-4.4.mga8
x11-server-source-1.20.14-4.4.mga8
x11-server-xdmx-1.20.14-4.4.mga8
x11-server-xephyr-1.20.14-4.4.mga8
x11-server-xnest-1.20.14-4.4.mga8
x11-server-xorg-1.20.14-4.4.mga8
x11-server-xvfb-1.20.14-4.4.mga8
x11-server-xwayland-1.20.14-4.4.mga8

from SRPM:
x11-server-1.20.14-4.4.mga8.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Version: Cauldron => 9
Assignee: thierry.vignaud => qa-bugs

Comment 4 Marja Van Waes 2023-11-03 14:34:06 CET 
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 5 PC LX 2023-11-03 19:01:57 CET 
Installed and tested without issues.

Tested a bunch of applications, OpenGL 3D (glxinfo, glmark2), video.


System: Mageia 8, x86_64 Plasma DE, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz, Intel integrated GPU.


$ uname -a
Linux marte 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep x11-server | sort -u
x11-server-common-1.20.14-4.4.mga8
x11-server-xorg-1.20.14-4.4.mga8
x11-server-xwayland-1.20.14-4.4.mga8
$ lscpu | grep "Model name"
Model name:                         Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
$ lspci | grep VGA
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller (rev 06)

CC: (none) => mageia

Comment 6 PC LX 2023-11-03 19:06:06 CET 
Installed and tested without issues.

Tested desktop applications, OpenGL 3D (glxinfo, glmark2), video.


System: Mageia 8, x86_64 Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics.


$ uname -a
Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep x11-server | sort -u
x11-server-common-1.20.14-4.4.mga8
x11-server-xorg-1.20.14-4.4.mga8
x11-server-xwayland-1.20.14-4.4.mga8
$ LANGUAGE=C lscpu | grep "Model name"
Model name:                         AMD Ryzen 5 5600G with Radeon Graphics
$ lspci | grep VGA
03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Navi 24 [Radeon RX 6400 / 6500 XT] (rev c1)
0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Cezanne (rev c9)
Comment 7 PC LX 2023-11-03 19:18:06 CET 
Installed and tested without issues.

Tested desktop applications, OpenGL 3D (glxinfo, glmark2), video.


Host system: See comment 6.
Guest System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics, virtio display driver.



$ uname -a
Linux jupiter-vm-mageia-9-jogos 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux
$ rpm -qa | grep x11-server | sort -u
x11-server-common-21.1.8-7.1.mga9
x11-server-xorg-21.1.8-7.1.mga9
x11-server-xwayland-22.1.9-1.1.mga9
$ LANGUAGE=C lscpu | grep "Model name"
Model name:                         AMD Ryzen 5 5600G with Radeon Graphics
$ lspci | grep VGA
00:01.0 VGA compatible controller: Red Hat, Inc. Virtio 1.0 GPU (rev 01)
Comment 8 PC LX 2023-11-03 20:12:35 CET 
Installed and tested without issues.

Tested desktop applications, OpenGL and Vulkan, Steam, Steam games, video.


Host system: See comment 6.
Guest System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics, Radeon RX 6500 XT using amggpu display driver using PCI pass throught.


$ uname -a
Linux jupiter-vm-mageia-9-jogos 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux
$ rpm -qa | grep x11-server | sort -u
x11-server-common-21.1.8-7.1.mga9
x11-server-xorg-21.1.8-7.1.mga9
x11-server-xwayland-22.1.9-1.1.mga9
$ LANGUAGE=C lscpu | grep "Model name"
Model name:                         AMD Ryzen 5 5600G with Radeon Graphics
$ lspci | grep VGA
0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Navi 24 [Radeon RX 6400/6500 XT/6500M] (rev c1)
Comment 9 Thomas Andrews 2023-11-06 02:39:39 CET 
On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, Mageia 8 and Mageia 9 Xfce systems, installed and tested without issues. Tested some applications, no issues to report. Updated the Mageia 9 system to kernel-desktop 6.4.16-5, and still no issues.

OKing this for both releases and arches, and validating.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Morgan Leijström 2023-11-06 09:45:55 CET 
mga9-64 OK here

HW: Intel i7-870, P55 chipset, nvidia470-470.199.02-3 on GTX750

SW: Plasma X11, Normal desktop apps, VirtualBox MSW7 guest

suspend-resume

CC: (none) => fri

Comment 11 Mageia Robot 2023-11-07 01:10:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0307.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED