Bug 10799 - xlockmore new security issue CVE-2013-4143
Summary: xlockmore new security issue CVE-2013-4143
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/560031/
Whiteboard: MGA3-32-OK MGA3-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-07-18 20:37 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
4 users (show)

See Also:
Source RPM: xlockmore-5.41-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-18 20:37:03 CEST
A CVE was assigned for a security issue fixed in xlockmore 5.43:
http://openwall.com/lists/oss-security/2013/07/18/6

xlockmore was updated to 5.43 in Cauldron by eatdirt.

I have uploaded patched packages for Mageia 2 and Mageia 3.

Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.43 contains a security flaw related to potential NULL
pointer dereferences when authenticating via glibc 2.17+'s crypt() function.
Under certain conditions the NULL pointers can trigger a crash in xlockmore
effectively bypassing the screen lock (CVE-2013-4143).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143
http://openwall.com/lists/oss-security/2013/07/16/8
========================

Updated packages in core/updates_testing:
========================
xlockmore-5.38-2.2.mga2
xlockmore-gtk2-5.38-2.2.mga2
xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3

from SRPMS:
xlockmore-5.38-2.2.mga2.src.rpm
xlockmore-5.41-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-18 20:38:14 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 martyn vidler 2013-07-19 21:21:24 CEST
Tested MGA2 32

xlockmore-5.38.2.1.mga2 installed
Ran xlock which then launches screensaver and locks screen enter user passwd to release.

Updated xlockmore
$MIRRORLIST: media/core/updates_testing/xlockmore-5.38-2.2.mga2.i586.rpm
installing xlockmore-5.38-2.2.mga2.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     #######################################################
      1/1: xlockmore

Ran xlock again screensaver launches screen locked
entered user passwd released screen

I will test on the other archs, If there are any other procdures I should run let me know.

CC: (none) => martynvidler
Whiteboard: MGA2TOO => MGA2TOO MGA2-32-ok

Comment 2 Dave Hodgins 2013-07-19 22:12:21 CEST
Advisory 10799.adv added to svn

CC: (none) => davidwhodgins

Comment 3 David Walser 2013-07-19 22:16:10 CEST
This security bug falls into a class of issues caused by a behavior change in glibc's crypt() function.  Basically it sounds like trying to authenticate for a user account with a corrupted password hash in /etc/shadow can cause crashes.  See the Novell bug linked in Bug 10682 for more details, which could possibly help you figure out how to reproduce the issue.
Comment 4 David Walser 2013-07-20 03:27:06 CEST
And since we don't have glibc 2.17 on Mageia 2, this issue shouldn't be valid there.  This issue is only valid for Mageia 3.

Dave, please edit out Mageia 2 from the list of packages.  When this is validated, we can ask the sysadmins to remove the package from Mageia 2 updates_testing.

Sorry, I guess my brain wasn't fully engaged today :o(

Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.43 contains a security flaw related to potential NULL
pointer dereferences when authenticating via glibc 2.17+'s crypt() function.
Under certain conditions the NULL pointers can trigger a crash in xlockmore
effectively bypassing the screen lock (CVE-2013-4143).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143
http://openwall.com/lists/oss-security/2013/07/16/8
========================

Updated packages in core/updates_testing:
========================
xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3

from xlockmore-5.41-2.1.mga3.src.rpm

Whiteboard: MGA2TOO MGA2-32-ok => (none)

Comment 5 William Kenney 2013-07-20 05:01:32 CEST
Tested MGA3-32-OK

xlockmore ver 5.41-2 installed then launched from desktop icon.

xlockmore ver 5.41-2.1 from updates_testing installed
then relaunched from desktop icon successfully.

Test platform:
 Intel Core i7-2600K Sandy Bridge 3.4GHz
 GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
 GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
 RTL8111/8168B PCI Express 1Gbit Ethernet
 DRAM 16GB (4 x 4GB)
 VirtualBox 4.2.12-2.mga3

Update validated

Advisory:
=================================
This update corrects a CVE security issue in xlockmore.


Updated packages in core/updates_testing:
=================================

xlockmore-5.41-2.1.mga3
xlockmore-gtk2-5.41-2.1.mga3
xlockmore-5.41-2.1.mga3.src.rpm

from SRPMS:
xlockmore-5.41-2.1.mga3.src.rpm

CC: (none) => wilcal.int

William Kenney 2013-07-20 05:02:08 CEST

Whiteboard: (none) => MGA3-32-OK

Comment 6 William Kenney 2013-07-20 05:24:49 CEST
Tested MGA3-64-OK

xlockmore ver 5.41-2 installed then launched from desktop icon.

xlockmore ver 5.41-2.1 from updates_testing installed
then relaunched from desktop icon successfully.

Test platform:
 Intel Core i7-2600K Sandy Bridge 3.4GHz
 GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
 GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
 RTL8111/8168B PCI Express 1Gbit Ethernet
 DRAM 16GB (4 x 4GB)
 VirtualBox 4.2.12-2.mga3

Update validated

Advisory:
=================================
This update corrects a CVE security issue in xlockmore.


Updated packages in core/updates_testing:
=================================

xlockmore-5.41-2.1.mga3.x86_64.rpm
xlockmore-gtk2-5.41-2.1.mga3.x86_64.rpm

from SRPMS:
xlockmore-5.41-2.1.mga3.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.


Thank you!

Whiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OK

William Kenney 2013-07-20 05:27:58 CEST

CC: (none) => sysadmin-bugs

Comment 7 David Walser 2013-07-20 12:12:22 CEST
William, thanks for testing, but don't create new advisories please.  One was already given in Comment 0 and Comment 4.
Comment 8 claire robinson 2013-07-20 14:25:20 CEST
Advisory updated on svn to remove mga2 package.
Comment 9 David Walser 2013-07-20 22:59:39 CEST
This looks ready to have the validated_update keyword added.
Comment 10 Dave Hodgins 2013-07-21 04:31:21 CEST
Could someone from the sysadmin team push 10799.adv to updates and
remove xlockmore-5.38-2.2.mga2.src.rpm from updates testing.

Keywords: (none) => validated_update

Comment 11 Dave Hodgins 2013-07-21 04:32:51 CEST
Sorry, meant to put remove xlockmore-5.38-2.2.mga2.src.rpm from
Mageia 2 Core updates testing.
Comment 12 Nicolas Vigier 2013-07-21 12:05:37 CEST
http://advisories.mageia.org/MGASA-2013-0225.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

David Walser 2013-07-22 19:36:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/560031/

Nicolas Vigier 2014-05-08 18:05:16 CEST

CC: boklm => (none)


Note You need to log in before you can comment on or make changes to this bug.