X.org has issued an advisory today (August 21): http://openwall.com/lists/oss-security/2018/08/21/6 The issues will be fixed upstream in 1.6.6. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing the de facto maintainer.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, thierry.vignaud
openSUSE and Ubuntu have issued advisories for this on August 31 and 30: https://lists.opensuse.org/opensuse-updates/2018-08/msg00164.html https://usn.ubuntu.com/3758-1/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). (CVE-2018-14598) An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. (CVE-2018-14599) An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. (CVE-2018-14600) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14600 http://openwall.com/lists/oss-security/2018/08/21/6 https://lists.opensuse.org/opensuse-updates/2018-08/msg00164.html https://usn.ubuntu.com/3758-1/ ======================== Updated packages in core/updates_testing: ======================== lib(64)x11_6-1.6.5-1.1.mga6 lib(64)x11-xcb1-1.6.5-1.1.mga6 lib(64)x11-devel-1.6.5-1.1.mga6 libx11-common-1.6.5-1.1.mga6 libx11-doc-1.6.5-1.1.mga6 from SRPMS: libx11-1.6.5-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)
Mageia 6, x86_64 CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 Looks like there are no reproducers for these three issues. Installed the five packages. All updated cleanly. $ urpmq --whatrequires lib64x11_6 | sort -u produces a long list of dependent applications including xterm and xeyes. xterm and xeyes work fine. Tried xviewer and a few others. $ xviewer -s /data/images/asteroids This started a slideshow of the images in the given directory. zoom seems to be some kind of game launcher. xsysinfo displays a graphic along the lines of gkrellm. By default it shows load average and the activity in the CPU cores as 8 separate load bars and a panel for the amount of memory in use. It may be buggy because the no* arguments seem to work but the activate items do not. $ xsysinfo -swap -noload Shows loading and RAM use but not swap. xplayer displays videos OK. $ strace -o trace xplayer victoria_dem_2_1280.mov $ cat trace | grep x11 | grep -v 0x11 $ No evidence of libx11. Tried starce on xeyes. Still no libx11. $ strace -o trace vlc Restless.m2t $ grep x11 trace mmap(0x7f44aef0b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f44aef0b000 stat("/usr/lib64/vlc/plugins/video_output/libglconv_vaapi_x11_plugin.so", {st_mode=S_IFREG|0755, st_size=28456, ...}) = 0 stat("/usr/lib64/vlc/plugins/video_output/libxcb_x11_plugin.so", {st_mode=S_IFREG|0755, st_size=19728, ...}) = 0 There is a possible indirect reference to lib64x11-xcb1 there. $ urpmq --requires-recursive vlc | grep x11 lib64gtk+-x11-2.0_0 lib64qt5x11extras5 lib64x11-xcb1 lib64x11_6 So vlc does require the libraries but we have not shown it actually being used very much. The same is true of the command-line version cvlc. Opening blender under strace does not supply unequivocal evidence of its use. We shall just have to assume that the libraries are used at some stage in these applications. They all work without any apparent regressions so this is awarded a tentative OK.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
CC: (none) => tmbKeywords: (none) => advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0377.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED