CVEs have been assigned for security issues in sddm today (October 6): http://openwall.com/lists/oss-security/2014/10/06/4 Details are available in the thread linked above. There are pull requests linked also with fixes. I don't know if they have been accepted upstream yet. Mageia 4 is also likely to be affected. Reproducible: Steps to Reproduce:
CC: (none) => jani.valimaaWhiteboard: (none) => MGA4TOO
Version 0.10.0 has been released with the fixes for this: https://github.com/sddm/sddm/releases/tag/v0.10.0
sddm-0.10.0 has been commited and push request raised.
CC: (none) => doktor5000
Fixed in sddm-0.10.0-1.mga5. Now we just need to update Mageia 4.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Fedora has issued an advisory for this on October 8: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141494.html
URL: (none) => http://lwn.net/Vulnerabilities/618319/
For the record: I've finally finished updating sddm to 0.10.0 and merged in all the relevant functional changes and bugfixes from cauldron. Submitted libxcb-1.9.1-2.1.mga4 and sddm-0.10.0-1.mga4 to 4/updates_testing. Will provide a list once the build is OK, then reassign to QA including advisory and testing instructions.
Priority: Normal => HighHardware: i586 => AllCVE: (none) => CVE-2014-7271, CVE-2014-7272Source RPM: sddm-0.9.0-9.mga5.src.rpm => sddm-0.10.0-1.mga4.src.rpm
Assignee: mageia => doktor5000
I've submitted an updated package for sddm to Mageia 4. sddm was barely useable before, and affected by at least two severe security issues, CVE-2014-7271 and CVE-2014-7272. It also adds a default coniguration file, which hides system users and enables successful upgrade to Mageia 5. You can test this by installing sddm, switching to it via drakboot, then logging out and testing if login to desktop is working, and also if logout is working. Newer libxcb packages are required for newer sddm, they are listed in the advisory too. Suggested advisory: ======================== Updated sddm packages fix security vulnerabilities: Never try to login as the sddm user (CVE-2014-7271) Fix race condition in XAUTHORITY file generation (CVE-2014-7272) XAUTHORITY file is no longer owned by root Fixed PAM environment variables being overridden Fixed autologin with the passwd backend References: https://github.com/sddm/sddm/releases/tag/v0.10.0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7272http://lwn.net/Vulnerabilities/618319/ ======================== Updated packages in core/updates_testing: ======================== sddm-0.10.0-1.mga4.i586 sddm-0.10.0-1.mga4.x86_64 libxcb-doc-1.9.1-2.1.mga4.x86_64 lib64xcb-composite0-1.9.1-2.1.mga4.x86_64 lib64xcb-damage0-1.9.1-2.1.mga4.x86_64 lib64xcb-devel-1.9.1-2.1.mga4.x86_64 lib64xcb-dpms0-1.9.1-2.1.mga4.x86_64 lib64xcb-dri2_0-1.9.1-2.1.mga4.x86_64 lib64xcb-glx0-1.9.1-2.1.mga4.x86_64 lib64xcb-randr0-1.9.1-2.1.mga4.x86_64 lib64xcb-record0-1.9.1-2.1.mga4.x86_64 lib64xcb-render0-1.9.1-2.1.mga4.x86_64 lib64xcb-res0-1.9.1-2.1.mga4.x86_64 lib64xcb-screensaver0-1.9.1-2.1.mga4.x86_64 lib64xcb-shape0-1.9.1-2.1.mga4.x86_64 lib64xcb-shm0-1.9.1-2.1.mga4.x86_64 lib64xcb-static-devel-1.9.1-2.1.mga4.x86_64 lib64xcb-sync0-1.9.1-2.1.mga4.x86_64 lib64xcb-xevie0-1.9.1-2.1.mga4.x86_64 lib64xcb-xf86dri0-1.9.1-2.1.mga4.x86_64 lib64xcb-xfixes0-1.9.1-2.1.mga4.x86_64 lib64xcb-xinerama0-1.9.1-2.1.mga4.x86_64 lib64xcb-xkb0-1.9.1-2.1.mga4.x86_64 lib64xcb-xprint0-1.9.1-2.1.mga4.x86_64 lib64xcb-xtest0-1.9.1-2.1.mga4.x86_64 lib64xcb-xv0-1.9.1-2.1.mga4.x86_64 lib64xcb-xvmc0-1.9.1-2.1.mga4.x86_64 lib64xcb1-1.9.1-2.1.mga4.x86_64 libxcb-composite0-1.9.1-2.1.mga4.i586 libxcb-damage0-1.9.1-2.1.mga4.i586 libxcb-devel-1.9.1-2.1.mga4.i586 libxcb-doc-1.9.1-2.1.mga4.i586 libxcb-dpms0-1.9.1-2.1.mga4.i586 libxcb-dri2_0-1.9.1-2.1.mga4.i586 libxcb-glx0-1.9.1-2.1.mga4.i586 libxcb-randr0-1.9.1-2.1.mga4.i586 libxcb-record0-1.9.1-2.1.mga4.i586 libxcb-render0-1.9.1-2.1.mga4.i586 libxcb-res0-1.9.1-2.1.mga4.i586 libxcb-screensaver0-1.9.1-2.1.mga4.i586 libxcb-shape0-1.9.1-2.1.mga4.i586 libxcb-shm0-1.9.1-2.1.mga4.i586 libxcb-static-devel-1.9.1-2.1.mga4.i586 libxcb-sync0-1.9.1-2.1.mga4.i586 libxcb-xevie0-1.9.1-2.1.mga4.i586 libxcb-xf86dri0-1.9.1-2.1.mga4.i586 libxcb-xfixes0-1.9.1-2.1.mga4.i586 libxcb-xinerama0-1.9.1-2.1.mga4.i586 libxcb-xkb0-1.9.1-2.1.mga4.i586 libxcb-xprint0-1.9.1-2.1.mga4.i586 libxcb-xtest0-1.9.1-2.1.mga4.i586 libxcb-xv0-1.9.1-2.1.mga4.i586 libxcb-xvmc0-1.9.1-2.1.mga4.i586 libxcb1-1.9.1-2.1.mga4.i586 Source RPMs: sddm-0.10.0-1.mga4.src libxcb-1.9.1-2.1.mga4.src
Status: NEW => ASSIGNEDAssignee: doktor5000 => qa-bugs
seems a linebreak was missing, and added the link from Comment #0 :) References: http://openwall.com/lists/oss-security/2014/10/06/4 http://lwn.net/Vulnerabilities/618319/ https://github.com/sddm/sddm/releases/tag/v0.10.0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7272
Please use the fedora advisory instead of the LWN link in the advisory: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141494.html
Installed new sddm Switched to it in MCC - Boot After two warnings, user was logged off and sddm login screen appears. Log in OK. Logged out, went OK and coma back in sddm login screen. Logged in again Switched back to KDM in MCC - Boot. After two warnings, user was logged off and KDM login screen appears, loggin in is OK. No problems encoutered
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
Suggested advisory: ======================== Updated sddm packages fix security vulnerabilities: Sddm may in some cases allow unauthenticated logins as the sddm user (CVE-2014-7271). Sddm is vulnerable to a race condition in XAUTHORITY file generation (CVE-2014-7272). Sddm has been updated to version 0.10.0, fixing these issues and several other bugs, and adding new functionality. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7272 https://github.com/sddm/sddm/releases/tag/v0.10.0 https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141494.html
Advisory uploaded, I added a mention to the updated libxcb packages.
CC: (none) => remiWhiteboard: MGA4-64-OK => MGA4-64-OK advisory
Tested Mageia 4 i586. After using drakconf to switch to sddm and it logged me out, I was at the tty1 boot screen and SDDM never came up. I switched to tty2 and logged in as root and then did: systemctl restart graphical.target and then SDDM came up fine and I was able to log in. Was this just a blip I encountered or a bigger issue? I am using KDE and had been using KDM.
Priority: High => NormalWhiteboard: MGA4-64-OK advisory => MGA4-64-OK feedbackSeverity: normal => critical
Whiteboard: MGA4-64-OK feedback => has_procedure advisory MGA4-64-OK feedback
(In reply to David Walser from comment #12) > Tested Mageia 4 i586. > > After using drakconf to switch to sddm and it logged me out, I was at the > tty1 boot screen and SDDM never came up. You said "yes" when drakboot asked to restart dm service, and then ended on a tty? X didn't restart? Question would be, how do you start your X or DM session in the first place? It should work with the default, that is boot to runlevel 5 / graphical.target which starts prefdm. And anything to be seen in journalctl output, or in "systemctl status prefdm.service" output?
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=11401
Ping? Anything missing for validation on i586?
The updated libxcb and lib64xcb packages are not present on the mirrors. libxcb-1.9.1-2.1.mga4.src is also missing. Perhaps removed inadvertently during the cleaning? (I checked distrib-coffee.)
Yep. I re-pushed libxcb to updates_testing.
I installed the updated sddm and libxcb packages on a Mageia 4 32 bit system which was using KDM and KDE. I used drakdm to set sddm as the display manager and allowed it to restart X. I was logged out and the sddm login screen was displayed. My user was listed (my UUID is 1000) and I was able to login (to KDE). As a double check, I re-booted and the sddm login was displayed. I was able to login successfully. Getting back to KDM, however, was not so simple. If I changed back to KDM without re-booting, then the change worked as expected. However, after re-booting when sddm was the DM, it seemed to be impossible to change back to KDM. After making the change in drakdm, the X-server was not restarted, but /etc/sysconfig/desktop was changed to show KDM as the DM. Manually killing X, logging out or re-booting resulted in the sddm login being displayed. The only way that I could get back to a KDM login was to remove sddm. I repeated the whole process from the beginning with the same results. The system I used for testing is a default KDE install, fully updated.
(In reply to Florian Hubold from comment #13) > (In reply to David Walser from comment #12) > > Tested Mageia 4 i586. > > > > After using drakconf to switch to sddm and it logged me out, I was at the > > tty1 boot screen and SDDM never came up. > > You said "yes" when drakboot asked to restart dm service, and then ended on > a tty? X didn't restart? Yes. > Question would be, how do you start your X or DM session in the first place? graphical.target as normal. > It should work with the default, that is boot to runlevel 5 / > graphical.target which starts prefdm. And anything to be seen in journalctl > output? Nov 26 12:00:31 A-STU12-P.pod1A.net drakconf[9222]: ### Program is starting ### Nov 26 12:00:35 A-STU12-P.pod1A.net drakdm[9252]: ### Program is starting ### Nov 26 12:00:38 A-STU12-P.pod1A.net drakdm[9252]: Switching to "SDDM" display manager Nov 26 12:00:44 A-STU12-P.pod1A.net drakdm[9252]: running: /etc/rc.d/init.d/dm restart Nov 26 12:00:44 A-STU12-P.pod1A.net drakdm[9252]: ### Program is exiting ### Nov 26 12:00:44 A-STU12-P.pod1A.net systemd[1]: Stopping Display Manager... Nov 26 12:00:44 A-STU12-P.pod1A.net mgaapplet[2872]: Received SIGHUP (probably an upgrade has finished), restarting applet. Nov 26 12:00:44 A-STU12-P.pod1A.net polkitd[1392]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.40, object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Nov 26 12:00:44 A-STU12-P.pod1A.net kdm[1404]: :0[1404]: pam_tcb(kdm:session): Session closed for student Nov 26 12:00:44 A-STU12-P.pod1A.net su[10527]: pam_tcb(su:session): Session closed for root Nov 26 12:00:45 A-STU12-P.pod1A.net systemd[1]: Stopped Display Manager. Nov 26 12:00:54 A-STU12-P.pod1A.net acpid[1035]: client 1089[0:0] has disconnected So there's no indication of why X didn't start back up. The next thing in the journal is me starting a getty on tty2 so that I could login as root and do systemctl restart graphical.target to make it come back up. I also get the same behavior switching from SDDM back to KDM. So, that works too, other than this one glitch.
I just switched back to SDDM yet again and it worked fine this time. So, this is apparently an issue with drakdm or prefdm or something and not SDDM itself. It seems to work fine. I'll validate this. Thanks Florian.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA4-64-OK feedback => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0504.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED