A CVE was assigned for a security issue fixed in xlockmore 5.43: http://openwall.com/lists/oss-security/2013/07/18/6 xlockmore was updated to 5.43 in Cauldron by eatdirt. I have uploaded patched packages for Mageia 2 and Mageia 3. Advisory: ======================== Updated xlockmore packages fix security vulnerability: xlockmore before 5.43 contains a security flaw related to potential NULL pointer dereferences when authenticating via glibc 2.17+'s crypt() function. Under certain conditions the NULL pointers can trigger a crash in xlockmore effectively bypassing the screen lock (CVE-2013-4143). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143 http://openwall.com/lists/oss-security/2013/07/16/8 ======================== Updated packages in core/updates_testing: ======================== xlockmore-5.38-2.2.mga2 xlockmore-gtk2-5.38-2.2.mga2 xlockmore-5.41-2.1.mga3 xlockmore-gtk2-5.41-2.1.mga3 from SRPMS: xlockmore-5.38-2.2.mga2.src.rpm xlockmore-5.41-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Tested MGA2 32 xlockmore-5.38.2.1.mga2 installed Ran xlock which then launches screensaver and locks screen enter user passwd to release. Updated xlockmore $MIRRORLIST: media/core/updates_testing/xlockmore-5.38-2.2.mga2.i586.rpm installing xlockmore-5.38-2.2.mga2.i586.rpm from /var/cache/urpmi/rpms Preparing... ####################################################### 1/1: xlockmore Ran xlock again screensaver launches screen locked entered user passwd released screen I will test on the other archs, If there are any other procdures I should run let me know.
CC: (none) => martynvidlerWhiteboard: MGA2TOO => MGA2TOO MGA2-32-ok
Advisory 10799.adv added to svn
CC: (none) => davidwhodgins
This security bug falls into a class of issues caused by a behavior change in glibc's crypt() function. Basically it sounds like trying to authenticate for a user account with a corrupted password hash in /etc/shadow can cause crashes. See the Novell bug linked in Bug 10682 for more details, which could possibly help you figure out how to reproduce the issue.
And since we don't have glibc 2.17 on Mageia 2, this issue shouldn't be valid there. This issue is only valid for Mageia 3. Dave, please edit out Mageia 2 from the list of packages. When this is validated, we can ask the sysadmins to remove the package from Mageia 2 updates_testing. Sorry, I guess my brain wasn't fully engaged today :o( Advisory: ======================== Updated xlockmore packages fix security vulnerability: xlockmore before 5.43 contains a security flaw related to potential NULL pointer dereferences when authenticating via glibc 2.17+'s crypt() function. Under certain conditions the NULL pointers can trigger a crash in xlockmore effectively bypassing the screen lock (CVE-2013-4143). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4143 http://openwall.com/lists/oss-security/2013/07/16/8 ======================== Updated packages in core/updates_testing: ======================== xlockmore-5.41-2.1.mga3 xlockmore-gtk2-5.41-2.1.mga3 from xlockmore-5.41-2.1.mga3.src.rpm
Whiteboard: MGA2TOO MGA2-32-ok => (none)
Tested MGA3-32-OK xlockmore ver 5.41-2 installed then launched from desktop icon. xlockmore ver 5.41-2.1 from updates_testing installed then relaunched from desktop icon successfully. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.12-2.mga3 Update validated Advisory: ================================= This update corrects a CVE security issue in xlockmore. Updated packages in core/updates_testing: ================================= xlockmore-5.41-2.1.mga3 xlockmore-gtk2-5.41-2.1.mga3 xlockmore-5.41-2.1.mga3.src.rpm from SRPMS: xlockmore-5.41-2.1.mga3.src.rpm
CC: (none) => wilcal.int
Whiteboard: (none) => MGA3-32-OK
Tested MGA3-64-OK xlockmore ver 5.41-2 installed then launched from desktop icon. xlockmore ver 5.41-2.1 from updates_testing installed then relaunched from desktop icon successfully. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.12-2.mga3 Update validated Advisory: ================================= This update corrects a CVE security issue in xlockmore. Updated packages in core/updates_testing: ================================= xlockmore-5.41-2.1.mga3.x86_64.rpm xlockmore-gtk2-5.41-2.1.mga3.x86_64.rpm from SRPMS: xlockmore-5.41-2.1.mga3.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you!
Whiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs
William, thanks for testing, but don't create new advisories please. One was already given in Comment 0 and Comment 4.
Advisory updated on svn to remove mga2 package.
This looks ready to have the validated_update keyword added.
Could someone from the sysadmin team push 10799.adv to updates and remove xlockmore-5.38-2.2.mga2.src.rpm from updates testing.
Keywords: (none) => validated_update
Sorry, meant to put remove xlockmore-5.38-2.2.mga2.src.rpm from Mageia 2 Core updates testing.
http://advisories.mageia.org/MGASA-2013-0225.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/560031/
CC: boklm => (none)