14857 – xlockmore potential security issue fixed upstream in 5.45

Bug 14857 - xlockmore potential security issue fixed upstream in 5.45

Summary: xlockmore potential security issue fixed upstream in 5.45

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/628115/
Whiteboard:	has_procedure advisory MGA4-64-OK MG...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-12-19 23:02 CET by David Walser
Modified:	2014-12-30 17:13 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	xlockmore-5.43-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-12-19 23:02:46 CET

xlockmore 5.45 has been announced on December 2, fixing a potential security issue:
http://calypso.tux.org/pipermail/xlock-announce/2014/000059.html

Freeze push requested for Cauldron for xlockmore 5.45.

The upstream patch is committed in Mageia 4 SVN.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2014-12-20 21:32:58 CET

Patched package uploaded for Mageia 4.

Advisory to come later.  For now, see the upstream reference in Comment 0.

xlockmore-5.43-2.1.mga4
xlockmore-gtk2-5.43-2.1.mga4

from xlockmore-5.43-2.1.mga4.src.rpm

CC: (none) => dirteat
Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2014-12-21 17:28:15 CET

Procedure: https://bugs.mageia.org/show_bug.cgi?id=10799#c1

Whiteboard: (none) => has_procedure

Comment 3 Herman Viaene 2014-12-23 12:10:51 CET

MGA-64 on HP Probook 6555b
No installation issues
Run xlock at CLI, locks an unlocks nicely.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 4 Herman Viaene 2014-12-23 12:12:22 CET

MGA4-32b on Acer D620
No installation issues
Run xlock at CLI, locks an unlocks nicely.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA-32-OK

Comment 5 David Walser 2014-12-23 19:11:50 CET

Make sure you test the pyro2 screensaver specifically, as that's the one that's affected by this update.

Comment 6 Herman Viaene 2014-12-24 11:23:33 CET

Tested on both 64 and 32 with CLI command
xlock -mode pyro2
No problems seen.

claire robinson 2014-12-24 11:26:04 CET

Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 7 claire robinson 2014-12-24 11:26:27 CET

Needs advisory here too please.

Comment 8 Chris Denice 2014-12-24 12:07:39 CET

here you go (I did not find any CVE number however)


Advisory:
========================

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.45 contains a security flaw related to a bad value of fnt for pyro2 which could cause an X error. This update backports the fix for version 5.43.

References:
http://calypso.tux.org/pipermail/xlock-announce/2014/000059.html


Updated packages in core/updates_testing:
========================
xlockmore-5.43-2.1.mga4
xlockmore-gtk2-5.43-2.1.mga4

from SRPMS:
xlockmore-5.43-2.1.mga4.src.rpm

Comment 9 claire robinson 2014-12-26 10:55:52 CET

Thanks Chris

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-12-26 18:06:04 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0554.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-30 17:13:23 CET

URL: (none) => http://lwn.net/Vulnerabilities/628115/

Note You need to log in before you can comment on or make changes to this bug.