15856 – x11-server new security issue CVE-2015-3418

Bug 15856 - x11-server new security issue CVE-2015-3418

Summary: x11-server new security issue CVE-2015-3418

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/643134/
Whiteboard:	has_procedure advisory MGA4-32-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-05-05 19:17 CEST by David Walser
Modified:	2015-05-06 17:16 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	x11-server-1.14.5-2.3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-05-05 19:17:15 CEST

A CVE was assigned for a regression caused by the CVE-2014-8092 fix:
http://openwall.com/lists/oss-security/2015/04/25/4

We fixed CVE-2014-8092 in Bug 14767.

The new fix is already in Cauldron.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

A regression in the fix for CVE-2014-8092 (MGASA-2014-0532) caused another
issue which could lead to a local denial of service (CVE-2015-3418).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3418
http://openwall.com/lists/oss-security/2015/04/25/4
========================

Updated packages in core/updates_testing:
========================
x11-server-1.14.5-2.4.mga4
x11-server-devel-1.14.5-2.4.mga4
x11-server-common-1.14.5-2.4.mga4
x11-server-xorg-1.14.5-2.4.mga4
x11-server-xdmx-1.14.5-2.4.mga4
x11-server-xnest-1.14.5-2.4.mga4
x11-server-xvfb-1.14.5-2.4.mga4
x11-server-xephyr-1.14.5-2.4.mga4
x11-server-xfake-1.14.5-2.4.mga4
x11-server-xfbdev-1.14.5-2.4.mga4
x11-server-source-1.14.5-2.4.mga4

from x11-server-1.14.5-2.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-05-06 01:47:59 CEST

Working fine Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 2 Lewis Smith 2015-05-06 14:43:22 CEST

MGA4 x64 real hardware with AMD/ATI/Radeon video.

Having just
 x11-server-1.14.5-2.4.mga4
 x11-server-common-1.14.5-2.4.mga4
and using my system with graphics-oriented applications, nothing untoward noticed.
I would rather see more testers trying this update, but am OKing it anyway.

CC: (none) => lewyssmith
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 3 David Walser 2015-05-06 15:01:20 CEST

(In reply to Lewis Smith from comment #2)
> I would rather see more testers trying this update, but am OKing it anyway.

It was just a tiny patch (and one that's already in Cauldron).  Should be fine.

Comment 4 claire robinson 2015-05-06 16:19:32 CEST

Tested OK here too mga4 64. No regression noticed in general use.


Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-05-06 17:16:46 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0196.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.