Security issues in x11-server fixed upstream have been announced: http://openwall.com/lists/oss-security/2017/07/06/6 Upstream commits to fix them are linked in the message above. I don't know if Mageia 5 is affected.
Fixed for Cauldron in x11-server-1.19.3-3.mga6 currently building. Mageia 5 still needs to be checked
CC: (none) => tmbVersion: Cauldron => 5
Depends on: (none) => 20376
The upstream patches for this apply perfectly against Mageia 5, so confirming it's affected. We still have the issues from Bug 20376 to address as well.
Patched package uploaded for Mageia 5. Advisory: ======================== Updated x11-server packages fix security vulnerabilities: Eric Sesterhenn discovered that the X.Org X server incorrectly compared MIT cookies. An attacker could possibly use this issue to perform a timing attack and recover the MIT cookie (CVE-2017-2624). It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to crash the server, or possibly execute arbitrary code as an administrator (CVE-2017-10971). It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to possibly obtain sensitive information (CVE-2017-10972). Use-after-free issue in an unused function in XDM (boo#1025035). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2624 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972 https://lists.opensuse.org/opensuse-updates/2017-06/msg00070.html https://usn.ubuntu.com/usn/usn-3362-1/ https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.16.4-2.2.mga5 x11-server-devel-1.16.4-2.2.mga5 x11-server-common-1.16.4-2.2.mga5 x11-server-xorg-1.16.4-2.2.mga5 x11-server-xdmx-1.16.4-2.2.mga5 x11-server-xwayland-1.16.4-2.2.mga5 x11-server-xnest-1.16.4-2.2.mga5 x11-server-xvfb-1.16.4-2.2.mga5 x11-server-xephyr-1.16.4-2.2.mga5 x11-server-xfake-1.16.4-2.2.mga5 x11-server-xfbdev-1.16.4-2.2.mga5 x11-server-source-1.16.4-2.2.mga5 from x11-server-1.16.4-2.2.mga5.src.rpm
Assignee: thierry.vignaud => qa-bugsBlocks: (none) => 20376Depends on: 20376 => (none)
Installed and running for more than 12 hours, including multiple sessions at the same time, without issues. System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver. $ rpm -qa | grep x11-server x11-server-xorg-1.16.4-2.2.mga5 x11-server-common-1.16.4-2.2.mga5 $ uname -a Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => mageia
Mageia release 5 (Official) for x86_64 4.4.79-1.mga5 Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz Intel Corporation Xeon E3-1200 v3/4th Gen NVIDIA Corporation GK104 [GeForce GTX 770] : nvidia 375.66 Installed: - x11-server-1.16.4-2.2.mga5.x86_64 - x11-server-common-1.16.4-2.2.mga5.x86_64 - x11-server-devel-1.16.4-2.2.mga5.x86_64 - x11-server-source-1.16.4-2.2.mga5.noarch - x11-server-xdmx-1.16.4-2.2.mga5.x86_64 - x11-server-xnest-1.16.4-2.2.mga5.x86_64 - x11-server-xorg-1.16.4-2.2.mga5.x86_64 - x11-server-xvfb-1.16.4-2.2.mga5.x86_64 Logged out and back into Mate. Installed: x11-server-xfbdev-1.16.4-2.2.mga5 x11-server-xwayland-1.16.4-2.2.mga5 Tried to login to GNOME on Wayland and failed. Goes back to the login prompt but selecting any other DE results in a crash - good luck message in a console. This is a fault which has been mentioned elsewhere and is not relevant in the context of this update. After rebooting logged in to Mate. Remote login on the LAN - ran an application which included a gui which pasted a JPEG image on the screen, and also played a video across the network. Logged out of the remote shell cleanly using logout. Typing exit causes the terminal to hang. Control-C to get back home. xev correctly identifies keypress and mouse events. Stellarium launches in fullscreen mode and is fully functional. mplayer and vlc run fine. A virtualbox launched OK. Installed an old Fedora rpm of glmark2 and ran the demo successfully. Everything else seems to work as well. Should we wait for tests on more platforms or are these two separate reports sufficient to clear the updates for 64-bits? nouveau anybody?
CC: (none) => tarazed25
The testing is sufficient.
Whiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
$ uname -a Linux localhost 4.4.79-desktop586-1.mga5 #1 SMP Fri Jul 28 01:45:13 UTC 2017 i686 i686 i686 GNU/Linux The following 2 packages are going to be installed: - x11-server-common-1.16.4-2.2.mga5.i586 - x11-server-xorg-1.16.4-2.2.mga5.i586 36B of additional disk space will be used. 1.4MB of packages will be retrieved. Is it ok to continue? Firefox and office applications are working as designed. Confirmed X was running.
Whiteboard: MGA5-64-OK advisory => mga5-32-ok MGA5-64-OK advisoryCC: (none) => brtians1
MGA5-32 on Asus A6000VM with nVidia GeForce 7300 Xfce No installation issues. Rebooted after installation. Desktop OK, opening xls, doc files from local disk and nfs-share, large pdf file. Had an issue with sound, turned out that in alsamixer Master was completely turned down, I have no idea how come.After correcting that, played music and video OK.
CC: (none) => herman.viaene
CC: (none) => lewyssmith, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0269.html
Status: NEW => RESOLVEDResolution: (none) => FIXED