Ubuntu has issued an advisory on December 3: http://www.ubuntu.com/usn/usn-2047-1/ A CVE was requested and granted for this issue: http://openwall.com/lists/oss-security/2013/12/04/8 The issue is already fixed upstream in the pixman version in Cauldron. Note to QA: there's a PoC in the launchpad bug. Beware, it crashes the X server. Advisory: ======================== Updated pixman packages fix security vulnerability: Bryan Quigley discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service via application crash (CVE-2013-6425). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6425 http://openwall.com/lists/oss-security/2013/12/04/8 http://www.ubuntu.com/usn/usn-2047-1/ ======================== Updated packages in core/updates_testing: ======================== libpixman1_0-0.28.2-2.1.mga3 libpixman-devel-0.28.2-2.1.mga3 from pixman-0.28.2-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
CC'ing Thierry. Thierry, please have a look at this also, since there's also CVE-2013-6424 for Xorg and patches for that. Here's the oss-sec thread: http://openwall.com/lists/oss-security/2013/12/04/8 The Launchpad bug has more info which may be of interest as well: https://launchpad.net/bugs/1197921
CC: (none) => thierry.vignaudVersion: Cauldron => 3
Poc file available at https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1197921/+attachment/3748789/+files/plantage-mai-only-empty.ods Advisory 11874.adv committed to svn.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete on Mageia 3 i586 and x86_64. Validating the update. Someone from the sysadmin team please push 11874.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0366.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN has posted the reference for this, with a new page since the Ubuntu one didn't list a CVE. I let them know and imagine they'll combine them soon: http://lwn.net/Vulnerabilities/576267/