Upstream has issued an advisory on February 10: http://lists.freedesktop.org/archives/xorg/2015-February/057158.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated x11-server packages fix security vulnerability: Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request, where the server trusts the client to send valid string lengths. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. This can lead to information disclosure issues, as well as possibly a denial of service if a similar request can cause the server to crash (CVE-2015-0255). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255 http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.14.5-2.3.mga4 x11-server-devel-1.14.5-2.3.mga4 x11-server-common-1.14.5-2.3.mga4 x11-server-xorg-1.14.5-2.3.mga4 x11-server-xdmx-1.14.5-2.3.mga4 x11-server-xnest-1.14.5-2.3.mga4 x11-server-xvfb-1.14.5-2.3.mga4 x11-server-xephyr-1.14.5-2.3.mga4 x11-server-xfake-1.14.5-2.3.mga4 x11-server-xfbdev-1.14.5-2.3.mga4 x11-server-source-1.14.5-2.3.mga4 from x11-server-1.14.5-2.3.mga4.src.rpm Reproducible: Steps to Reproduce:
X Server working fine for me on Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Debian has issued an advisory for this on February 11: https://www.debian.org/security/2015/dsa-3160 Let's use their more concise description. Advisory: ======================== Updated x11-server packages fix security vulnerability: Olivier Fourdan discovered that missing input validation in the Xserver's handling of XkbSetGeometry requests may result in an information leak or denial of service (CVE-2015-0255). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255 http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ https://www.debian.org/security/2015/dsa-3160
URL: (none) => http://lwn.net/Vulnerabilities/633088/
Performed two installations one x86_64 and one i586 with kernel, 3 x nvidia, fglrx, broadcom-wl, vbox, xtables-addons and also glibc, dbus, x11 and cups at the same time. All Ok
Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok
Advisory uploaded.
Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
Testing on Mageia4x32 real hardware (intel core i3, 8 Series/C220 Series Chipset, nvidia GTX750) - x11-server-xorg-1.14.5-2.3.mga4.i586 with latest testing kernel-desktop, glibc and dbus OK
CC: (none) => olchal
Testing MGA4 x64 real hardware Installed this update alongside concurrent desktop kernel, dbus & glibc updates. No display or keyboard problems noticed.
CC: (none) => lewyssmith
Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0073.html
Status: NEW => RESOLVEDResolution: (none) => FIXED