X.org has issued an advisory on August 22: http://openwall.com/lists/oss-security/2018/08/22/6 The issue is fixed upstream in 1.1.15. The commit to fix is is linked in the message above. Mageia 5 is also affected.
CC: (none) => nicolas.salguero
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
*** Bug 23399 has been marked as a duplicate of this bug. ***
Suggested advisory: ======================== The updated packages fix a security vulnerability: _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. (CVE-2015-9262) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9262 http://openwall.com/lists/oss-security/2018/08/22/6 https://usn.ubuntu.com/3729-1/ ======================== Updated packages in core/updates_testing: ======================== lib(64)xcursor1-1.1.14-6.2.mga6 lib(64)xcursor-devel-1.1.14-6.2.mga6 from SRPMS: libxcursor-1.1.14-6.2.mga6.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2015-9262Severity: normal => majorAssignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 No reproducers found for CVE-2015-9262. A quick 'urpmq --whatrequires' indicates that libxcursor is ubiquitous. If you run a desktop then the library will almost certainly be used. virtualbox is one application. Testing the update can be done by picking virtualbox or the Gimp or whatever or simply running your favourite desktop and watching for the unexpected when using the mouse or whatever pointing device is in use. Clean update. Logged out of Mate and back in again. No problems with the mouse pointer. Launched virtualbox and confirmed that there were no problems with the desktop or mouse operations. Passing this for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Re comment 4. It would be helpful if somebody tested this on a laptop using the touchpad, 64-bit or 32-bit. I am no fan of touchpads so have no familiarity with them.
I think I can handle that. On real hardware, HP Probook 6550b, i3, 8GB RAM, Intel graphics, Intel wifi, 64-bit Plasma system using the desktop kernel. This particular system has both the 64-bit and 32-bit packages installed, presumably because the old 32-bit Google Earth that's installed uses the 32-bit package. Installed these packages and the VirtualBox packages in the same operation. All packages installed cleanly. It probably wasn't necessary, but I rebooted before testing. I'm not fond of the touchpad either, but do use it now and then. For this test I used it almost exclusively, but I did use the mouse too. First up was Google Earth. No problems noted. While it felt awkward to use the touchpad, just as it always does, it did work. Moving the pointer, right and left clicks, right click by tapping the touchpad, and two-fingered scrolling all worked, as did the mouse. Then on to VirtualBox. Started a 64-bit MGA6 VM that I hadn't used in a while, and it's updating now. Everything works as expected. While I probably shouldn't give this a 32-bit OK without testing it on a 32-bit system, based on my tests with 32-bit Google Earth I don't anticipate any problems with that arch. Validating. Suggested advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0364.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED