Bug 6744

Summary: x11-server new security issue CVE-2012-2118
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: minor    
Priority: Low CC: dmorganec, oe, sysadmin-bugs, thierry.vignaud, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/506204/
Whiteboard: MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK
Source RPM: x11-server-1.10.1-1.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-07-11 00:58:52 CEST 
Gentoo has issued an advisory on July 9:
http://www.gentoo.org/security/en/glsa/glsa-201207-04.xml

Based on the version in the advisory, it appears Mageia 2 isn't affected (but we should double check just in case Gentoo patched it).

RedHat has links to the upstream commits to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=814126
David Walser 2012-07-11 00:59:03 CEST

CC: (none) => thierry.vignaud

David Walser 2012-07-11 00:59:10 CEST

CC: (none) => dmorganec

Comment 1 David Walser 2012-07-11 23:57:00 CEST 
Looking closer at the RedHat bug, they classified this as not a bug, given that they compile with FORTIFY_SOURCE.  I just checked, and we do as well.

I also looked at the code in Mageia 2, and the changes haven't been made there, so to whatever degree this is a legitimate concern, it applies there as well.

Version: 1 => Cauldron
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 2 David Walser 2012-07-12 20:29:22 CEST 
Ubuntu has issued an advisory for this on July 11:
http://www.ubuntu.com/usn/usn-1502-1/

They alluded to the same thing about the compiler options, but they issued the update anyway.
Comment 4 David Walser 2012-08-08 21:57:00 CEST 
LWN reference for CVE-2010-4818 and CVE-2010-4819:
http://lwn.net/Vulnerabilities/462113/
David Walser 2012-10-10 00:48:03 CEST

CC: (none) => oe

Comment 5 David Walser 2012-10-16 21:49:26 CEST 
I re-diffed Ubuntu's patch for CVE-2012-2118 and checked it into SVN for Mageia 1 and Mageia 2.  The version of Cauldron has it fixed upstream.

I still need to look into CVE-2010-4818 and CVE-2010-4819.
Comment 6 David Walser 2012-10-17 13:57:03 CEST 
Our versions aren't vulnerable to CVE-2010-4818 and CVE-2010-4819.

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 7 David Walser 2012-10-17 14:22:09 CEST 
Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

This fixes a format string vulnerability in the LogVHdrMessageVerb function
in os/log.c when handling input device names in X.Org X11 server
(CVE-2012-2118).  Mageia is not vulnerable to arbitrary code execution via
this vulnerability because of the compiler options that were used to build
it, but it can still cause a crash.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2118
http://www.ubuntu.com/usn/usn-1502-1/
========================

Updated packages in core/updates_testing:
========================
x11-server-1.10.1-1.2.mga1
x11-server-devel-1.10.1-1.2.mga1
x11-server-common-1.10.1-1.2.mga1
x11-server-xorg-1.10.1-1.2.mga1
x11-server-xdmx-1.10.1-1.2.mga1
x11-server-xnest-1.10.1-1.2.mga1
x11-server-xvfb-1.10.1-1.2.mga1
x11-server-xephyr-1.10.1-1.2.mga1
x11-server-xfake-1.10.1-1.2.mga1
x11-server-xfbdev-1.10.1-1.2.mga1
x11-server-source-1.10.1-1.2.mga1
x11-server-1.11.4-2.1.mga2
x11-server-devel-1.11.4-2.1.mga2
x11-server-common-1.11.4-2.1.mga2
x11-server-xorg-1.11.4-2.1.mga2
x11-server-xdmx-1.11.4-2.1.mga2
x11-server-xnest-1.11.4-2.1.mga2
x11-server-xvfb-1.11.4-2.1.mga2
x11-server-xephyr-1.11.4-2.1.mga2
x11-server-xfake-1.11.4-2.1.mga2
x11-server-xfbdev-1.11.4-2.1.mga2
x11-server-source-1.11.4-2.1.mga2

from SRPMS:
x11-server-1.10.1-1.2.mga1.src.rpm
x11-server-1.11.4-2.1.mga2.src.rpm

Priority: Normal => Low
Assignee: bugsquad => qa-bugs
Severity: normal => minor

Comment 8 Marc Lattemann 2012-10-18 00:50:29 CEST 
using http://patchwork.freedesktop.org/patch/10001/ for testing:
naming mobile '%n%n%n' and paired it via bluetooth as input device causing X11-server to crash. After updating X11-server it does not crash when paring with mobile.
Tested successfully on mga2 x86_64

CC: (none) => marc.lattemann
Whiteboard: MGA1TOO => MGA1TOO, MGA2-OK-64

Marc Lattemann 2012-10-18 00:52:39 CEST

CC: marc.lattemann => (none)
Whiteboard: MGA1TOO, MGA2-OK-64 => MGA1TOO, MGA2-64-OK

Comment 9 Marc Lattemann 2012-10-18 01:06:12 CEST 
Tested successfully with same procedure on mga2 i586

CC: (none) => marc.lattemann
Whiteboard: MGA1TOO, MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA2-32-OK

Samuel Verschelde 2012-10-18 21:05:06 CEST

Whiteboard: MGA1TOO, MGA2-64-OK, MGA2-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK

Comment 10 Samuel Verschelde 2012-10-18 21:21:41 CEST 
Unfortunately, I don't have any input device that I can name to test the fix. At least I can say that my MGA 1 32 bits system still works well with the update.

Whiteboard: MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK

Comment 11 Marc Lattemann 2012-10-19 00:36:21 CEST 
I can't reproduce the crash for mga1 (both x86_64, i586) neither with package from Core/Updates nor from Testing/Updates. However as Samuel reported for i586 everything works well with tested packages for both archs.

validate updates.

Please use advisory from Comment 7.

Could sysadmin push the packages to Core/updates? Thanks.

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs
Whiteboard: MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK

Comment 12 Thomas Backlund 2012-10-20 17:24:38 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0299

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED