====================================================== Name: CVE-2013-4396 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: MLIST:[oss-security] 20131008 Fwd: X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests Reference: URL:http://openwall.com/lists/oss-security/2013/10/08/6 Reference: MLIST:[xorg-announce] 20131008 X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests Reference: URL:http://lists.x.org/archives/xorg-announce/2013-October/002332.html Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1014561 Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. Description of problem: Reproducible: Steps to Reproduce:
Version: 2 => CauldronAssignee: bugsquad => thierry.vignaudSummary: CVE-2013-4396: xorg-x11-server - use-after-free flaw when handling ImageText requests => xorg-x11-server - use-after-free flaw when handling ImageText requests (CVE-2013-4396)Whiteboard: (none) => MGA3TOO, MGA2TOO
FYI the upstream patch applies in our Mageia 3 and Cauldron packages, but not in the Mageia 2 one. It'll need rewritten for that version.
Severity: normal => major
Updated by Funda. Advisory: ======================== Updated x11-server packages fix security vulnerability: Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure (CVE-2013-4396). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4396 http://lists.x.org/archives/xorg-announce/2013-October/002332.html https://bugzilla.redhat.com/show_bug.cgi?id=1014561 ======================== Updated packages in core/updates_testing: ======================== x11-server-1.11.4-2.4.mga2 x11-server-devel-1.11.4-2.4.mga2 x11-server-common-1.11.4-2.4.mga2 x11-server-xorg-1.11.4-2.4.mga2 x11-server-xdmx-1.11.4-2.4.mga2 x11-server-xnest-1.11.4-2.4.mga2 x11-server-xvfb-1.11.4-2.4.mga2 x11-server-xephyr-1.11.4-2.4.mga2 x11-server-xfake-1.11.4-2.4.mga2 x11-server-xfbdev-1.11.4-2.4.mga2 x11-server-source-1.11.4-2.4.mga2 x11-server-1.13.4-2.2.mga3 x11-server-devel-1.13.4-2.2.mga3 x11-server-common-1.13.4-2.2.mga3 x11-server-xorg-1.13.4-2.2.mga3 x11-server-xdmx-1.13.4-2.2.mga3 x11-server-xnest-1.13.4-2.2.mga3 x11-server-xvfb-1.13.4-2.2.mga3 x11-server-xephyr-1.13.4-2.2.mga3 x11-server-xfake-1.13.4-2.2.mga3 x11-server-xfbdev-1.13.4-2.2.mga3 x11-server-source-1.13.4-2.2.mga3 from SRPMS: x11-server-1.11.4-2.4.mga2.src.rpm x11-server-1.13.4-2.2.mga3.src.rpm
CC: (none) => fundawang, thierry.vignaudVersion: Cauldron => 3Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
*** Bug 11440 has been marked as a duplicate of this bug. ***
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 => http://lwn.net/Vulnerabilities/570465/
MGA£ 32-bit Updated x11-server-1.13.4-2.2.mga3 & x11-server-common-1.13.4-2.2.mga3 No new problems noted.
CC: (none) => lewyssmith
RedHat has issued an advisory for this on October 15: https://rhn.redhat.com/errata/RHSA-2013-1426.html Updating the reference in the advisory. Advisory: ======================== Updated x11-server packages fix security vulnerability: Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure (CVE-2013-4396). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4396 http://lists.x.org/archives/xorg-announce/2013-October/002332.html https://rhn.redhat.com/errata/RHSA-2013-1426.html ======================== Updated packages in core/updates_testing: ======================== x11-server-1.11.4-2.4.mga2 x11-server-devel-1.11.4-2.4.mga2 x11-server-common-1.11.4-2.4.mga2 x11-server-xorg-1.11.4-2.4.mga2 x11-server-xdmx-1.11.4-2.4.mga2 x11-server-xnest-1.11.4-2.4.mga2 x11-server-xvfb-1.11.4-2.4.mga2 x11-server-xephyr-1.11.4-2.4.mga2 x11-server-xfake-1.11.4-2.4.mga2 x11-server-xfbdev-1.11.4-2.4.mga2 x11-server-source-1.11.4-2.4.mga2 x11-server-1.13.4-2.2.mga3 x11-server-devel-1.13.4-2.2.mga3 x11-server-common-1.13.4-2.2.mga3 x11-server-xorg-1.13.4-2.2.mga3 x11-server-xdmx-1.13.4-2.2.mga3 x11-server-xnest-1.13.4-2.2.mga3 x11-server-xvfb-1.13.4-2.2.mga3 x11-server-xephyr-1.13.4-2.2.mga3 x11-server-xfake-1.13.4-2.2.mga3 x11-server-xfbdev-1.13.4-2.2.mga3 x11-server-source-1.13.4-2.2.mga3 from SRPMS: x11-server-1.11.4-2.4.mga2.src.rpm x11-server-1.13.4-2.2.mga3.src.rpm
In VirtualBox, M2, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.11.4-2.2.mga2.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.11.4-2.2.mga2.i586 is already installed KDE operating normally Install x11-server-common & x11-server-xorg updates from core updates_testing reboot [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.11.4-2.4.mga2.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.11.4-2.4.mga2.i586 is already installed KDE operating normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
In VirtualBox, M2, KDE, 64-bit Package(s) under test: x11-server-common x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.11.4-2.2.mga2.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.11.4-2.2.mga2.x86_64 is already installed KDE operating normally Install x11-server-common & x11-server-xorg updates from core updates_testing reboot [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.11.4-2.4.mga2.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.11.4-2.4.mga2.x86_64 is already installed KDE operating normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
In VirtualBox, M3, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg Default package installed: [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.13.4-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.13.4-2.mga3.i586 is already installed KDE operating normally Install x11-server-common & x11-server-xorg updates from core updates_testing reboot [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.13.4-2.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.13.4-2.2.mga3.i586 is already installed KDE operating normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
In VirtualBox, M3, KDE, 64-bit Package(s) under test: x11-server-common x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.13.4-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.13.4-2.mga3.x86_64 is already installed KDE operating normally Install x11-server-common & x11-server-xorg updates from core updates_testing reboot [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.13.4-2.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.13.4-2.2.mga3.x86_64 is already installed KDE operating normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
Adding missing whiteboard tags from previous testing
Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Advisory uploaded. Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0317.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED