Upstream has issued an advisory on June 10: http://lists.x.org/archives/xorg-announce/2015-June/002611.html OpenSuSE has issued an advisory for this today (June 22): http://lists.opensuse.org/opensuse-updates/2015-06/msg00044.html Upstream commits to fix this issue are linked from the SuSE bug: https://bugzilla.suse.com/show_bug.cgi?id=934102 Reproducible: Steps to Reproduce:
Thierry, ping :)
CC: (none) => mageia
I've applied the patches from SuSE's bug and submitted it into 5/core/updates_testing SRPM: x11-server-1.16.4-2.1.mga5.src.rpm RPMs: x11-server-xwayland-1.16.4-2.1.mga5 x11-server-xvfb-1.16.4-2.1.mga5 x11-server-xorg-1.16.4-2.1.mga5 x11-server-xnest-1.16.4-2.1.mga5 x11-server-xfbdev-1.16.4-2.1.mga5 x11-server-xfake-1.16.4-2.1.mga5 x11-server-xephyr-1.16.4-2.1.mga5 x11-server-xdmx-1.16.4-2.1.mga5 x11-server-devel-1.16.4-2.1.mga5 x11-server-common-1.16.4-2.1.mga5 x11-server-1.16.4-2.1.mga5 x11-server-source-1.16.4-2.1.mga5.noarch
Thanks Sander! Advisory: ======================== Updated x11-server packages fix security vulnerability: The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket (CVE-2015-3164). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3164 http://lists.x.org/archives/xorg-announce/2015-June/002611.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00044.html
Assignee: thierry.vignaud => qa-bugs
Testing Mageia 5 x64 real hardware with AMD/ATI/Radeon video Installed directly from Updates Testing x11-server-xwayland because I did not have it, but the X11 update is specifically for that. And updated main X11 to: x11-server-common-1.16.4-2.1.mga5 x11-server-xorg-1.16.4-2.1.mga5 x11-server-xwayland-1.16.4-2.1.mga5 Re-started the X server, and using the resulting system shows nothing untoward. Update deemed OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.mga5.i586 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.1.mga5.i586 is already installed KDE desktop and various apps work fine
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.mga5.x86_64 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.1.mga5.x86_64 is already installed KDE desktop and various apps work fine
Testing using Gnome on mga-5-32 rpm -qa | grep x11-server x11-server-xorg-1.16.4-2.mga5 x11-server-common-1.16.4-2.mga5 Installing from testing: urpmi --search-media "Core Updates Testing" x11-server-xorg x11-server-common Marking x11-server-xorg as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list ftp://192.168.0.2//pub/mirror/Mageia/distrib/5/i586/media/core/updates_testing/x11-server-common-1.16.4-2.1.mga5.i586.rpm ftp://192.168.0.2//pub/mirror/Mageia/distrib/5/i586/media/core/updates_testing/x11-server-xorg-1.16.4-2.1.mga5.i586.rpm installing x11-server-xorg-1.16.4-2.1.mga5.i586.rpm x11-server-common-1.16.4-2.1.mga5.i586.rpm from /var/cache/urpmi/rpms After restart logged on to Gnome normally. Tested several applications including libreoffice and firefox with flash-player. All seem to be working Ok OK for mga-5-32 The security issue seems to be related in particular to wayland. What, if anything, actually uses wayland?
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Is it now OK to validate this update? We haven't tested wayland, since none of us seem to use it.
(In reply to James Kerr from comment #8) > Is it now OK to validate this update? We haven't tested wayland, since none > of us seem to use it. Yeah, go ahead and validate it. This issue isn't a big deal for us since we don't use wayland.
This update is now validated. Would a qa-committer upload the advisory to SVN. The packages can then be pushed to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0316.html
Status: NEW => RESOLVEDResolution: (none) => FIXED