Fedora has issued an advisory on October 17: https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169437.html Only the rhbz#1268900 issue possibly affects us, as the other issue is fixed in 0.5.0. The first issue is fixed upstream in 0.5.2, so we may need to update it. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/661349/
Hi, The package lxdm-0.5.0-3.1.mga5 includes the patch that corrects the problem (it is a single commit in LXDM git repository). Best regards, Nico.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated lxdm package fixes a security issue with starting X server. ======================== Updated packages in core/updates_testing: ======================== i586: lxdm-0.5.0-3.1.mga5.i586.rpm x86_64: lxdm-0.5.0-3.1.mga5.x86_64.rpm Source RPMs: lxdm-0.5.0-3.1.mga5.src.rpm
Status: NEW => ASSIGNEDHardware: i586 => AllAssignee: nicolas.salguero => qa-bugs
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lxde lxdm default install of lxde & lxdm [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.mga5.i586 is already installed System boots to a working lxde desktop. Common apps work. install ldxm from updates_testing [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.1.mga5.i586 is already installed System boots to a working lxde desktop. Common apps work.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lxde lxdm default install of lxde & lxdm [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.mga5.x86_64 is already installed System boots to a working lxde desktop. Common apps work. install ldxm from updates_testing [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.1.mga5.x86_64 is already installed System boots to a working lxde desktop. Common apps work.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
Anything else we need to look at here David?
(In reply to William Kenney from comment #5) > Anything else we need to look at here David? Yes, check that the X server (process name is /etc/X11/X) in the process list has the -auth argument.
Also just an advisory note, the RedHat bug should be included as a Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1268900
(In reply to David Walser from comment #6) > Yes, check that the X server (process name is /etc/X11/X) in the process > list has the -auth argument. Sorry help me understand how to get that. [wilcal@localhost ~]$ ps -A PID TTY TIME CMD 1 ? 00:00:01 systemd 2 ? 00:00:00 kthreadd 3 ? 00:00:00 ksoftirqd/0 ............ 1309 ? 00:00:00 httpd 1310 ? 00:00:00 httpd 1320 tty1 00:00:50 X 1327 ? 00:00:00 kdm 1342 ? 00:00:00 systemd 1343 ? 00:00:00 (sd-pam) 1344 ? 00:00:00 startkde 1378 ? 00:00:00 gpg-agent 1413 ? 00:00:00 dbus-launch 1414 ? 00:00:00 dbus-daemon ............
$ ps ax | grep X 1629 tty1 Ss+ 57:08 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-sWzF8a
With lxdm-0.5.0-3.1.mga5, I have : $ ps ax | grep X 1529 tty1 Ssl+ 0:09 /etc/X11/X -background none :0 vt01 -nolisten tcp -novtswitch -auth /var/run/lxdm/lxdm-:0.auth
(In reply to Nicolas Salguero from comment #10) > With lxdm-0.5.0-3.1.mga5, I have : > > $ ps ax | grep X > 1529 tty1 Ssl+ 0:09 /etc/X11/X -background none :0 vt01 -nolisten tcp > -novtswitch -auth /var/run/lxdm/lxdm-:0.auth Looks good. This can be validated then.
In VirtualBox, M5, KDE, 32-bit Package(s) under test: lxde lxdm install ldxm from updates_testing [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.1.mga5.i586 is already installed System boots to a working lxde desktop. Common apps work. [wilcal@localhost ~]$ ps ax | grep X 1322 tty1 Ssl+ 0:04 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-U1c9fc 1847 pts/1 S+ 0:00 grep --color X
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lxde lxdm install ldxm from updates_testing [root@localhost wilcal]# urpmi task-lxde Package task-lxde-3-13.mga5.noarch is already installed [root@localhost wilcal]# urpmi lxdm Package lxdm-0.5.0-3.1.mga5.x86_64 is already installed System boots to a working lxde desktop. Common apps work. [wilcal@localhost ~]$ ps ax | grep X 1323 tty1 Ssl+ 0:04 /etc/X11/X :0 vt1 -nolisten tcp -auth /var/run/xauth/A:0-CJa7wa 1863 pts/1 S+ 0:00 grep --color X
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
CC: (none) => tmbWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0411.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This just got assigned CVE-2015-8308: http://openwall.com/lists/oss-security/2015/11/20/6
Summary: lxdm new possible security issue with starting X server => lxdm new possible security issue with starting X server (CVE-2015-8308)
Nicolas, you should also note the other issue mentioned in that mail. Apparently, upgrading to 0.5.2 and adding the reset option to lxdm.conf fixes it.
The reset option is already active in our package because of bug 14662. So I think that lxdm-0.5.0-3.1.mga5 corrects the two mentioned problems.