Bug 23438 - sddm new security issue CVE-2018-14345
Summary: sddm new security issue CVE-2018-14345
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: KDE maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-13 23:18 CEST by David Walser
Modified: 2019-01-18 21:25 CET (History)
3 users (show)

See Also:
Source RPM: sddm-0.17.0-4.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-13 23:18:45 CEST 
openSUSE has issued an advisory today (August 13):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00084.html

Mageia 6 is also affected.
David Walser 2018-08-13 23:18:57 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-16 12:17:41 CEST 
Assigning to the KDE stack maintainers, even if this isn't a KDE package :-p CC'ing the registered maintainer.

CC: (none) => mageia, marja11
Assignee: bugsquad => kde

Comment 2 Mike Rambo 2019-01-16 16:30:11 CET 
The patch linked in the openSUSE report does not apply to either cauldron or mga6. The patch has two parts, one for Display.cpp which does not apply to either version, and the other for PamBackend.cpp which is already applied to both of our versions.

Looks invalid to me.

Resolution: (none) => INVALID
CC: (none) => mrambo
Status: NEW => RESOLVED

Comment 3 David Walser 2019-01-18 21:25:40 CET 
This was fixed upstream in 0.18.0, which Cauldron has been updated to.

The PamBackend.cpp part *does* apply in mga6, but doesn't appear to be directly relevant to the security issue.  The affected code in Display.cpp indeed doesn't exist in 0.14.0 in mga6.

Resolution: INVALID => FIXED
Whiteboard: MGA6TOO => (none)
Note You need to log in before you can comment on or make changes to this bug.