X.org has issued an advisory today (October 25): https://www.openwall.com/lists/oss-security/2018/10/25/1 Thomas has already built an update with the fix... x11-server-1.19.5-1.2.mga6 x11-server-common-1.19.5-1.2.mga6 x11-server-xorg-1.19.5-1.2.mga6 x11-server-xnest-1.19.5-1.2.mga6 x11-server-xdmx-1.19.5-1.2.mga6 x11-server-xvfb-1.19.5-1.2.mga6 x11-server-xephyr-1.19.5-1.2.mga6 x11-server-xfake-1.19.5-1.2.mga6 x11-server-xfbdev-1.19.5-1.2.mga6 x11-server-xwayland-1.19.5-1.2.mga6 x11-server-devel-1.19.5-1.2.mga6 x11-server-source-1.19.5-1.2.mga6 from x11-server-1.19.5-1.2.mga6.src.rpm
Created attachment 10427 [details] Screenshot of plasma panel Issues in quick test on 64 bit, Plasma a) in tiled desktop mode i moved program windows across screens, and everything froze except for mouse pointer. Then i switched to a text console (Ctrl-Alt-F2), logged in, and checked journal - but dod not see anything that worried me. When i switched back desktop worked again, but b) the Plasma panel at screen bottom have weird program text and clock. (see attached) System: my worstation; 4k screen, nvidia proprietary driver. Using all updates incl updates_testing, incl kernel desktop 4.14.78-1 I think i have seen a) some week ago so it may be an issue unrelated to this update. But b) i have never seen before.
CC: (none) => fri
Further testing: I have a bash script that at DE login launches several applications with delay in between. I also have BOINC eating most of my CPU + GPU. It seems that if i let all the applications launch before i go to tiled mode and toss them around to different desktops, everything is OK. But if i go to tiled mode while they are launching, and also launches login popups for mail etc, then display gets frozen except mouse pointer, and if i shift to text screen Ctrl-Alt-F2 and back quickly now, screen got black + mouse hand pointer, and after some seconds desktop appeared, with a system tray popup something like kwin got restarted due to graphics problems. And then now it works OK, no text problems like in c 1. Difference to c 1 is that now i was at text screen only a couple seconds. In short i think this is not a big problem, but the bog gets trigged by the massive CPU and GPU load in combination with dragging windows between desktops in tiled mode on a 4k screen... And it may be some other update at least in combination, as this system is fully updated to updates_testing. I have not seen any other issue in a couple hours time surfing, textedit, video, screengrab.
Debian has issued an advisory for this on October 25: https://www.debian.org/security/2018/dsa-4328
Priority: Normal => HighAssignee: tmb => qa-bugsSeverity: normal => critical
Advisory, added to svn: type: security subject: Updated x11-server packages fix security vulnerability CVE: - CVE-2018-14665 src: 6: core: - x11-server-1.19.5-1.2.mga6 description: | A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges (CVE-2018-14665). references: - https://bugs.mageia.org/show_bug.cgi?id=23757 - https://www.openwall.com/lists/oss-security/2018/10/25/1
Keywords: (none) => advisoryCC: (none) => tmb
I've confirmed on x86_64 that the current x11-server-xorg-1.19.5-1.1.mga6 in updates is vulnerable, and that the upstream fix merged in x11-server-xorg-1.19.5-1.2.mga6 in updates_testing blocks the exploit.
Physical Hardware AMD Athlon(tm) II X3 450 Processor GF108 [GeForce GT 730] Desktop: Gnome X.org # uname -a Linux linux.local 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux # urpmi x11-server Package x11-server-1.19.5-1.2.mga6.x86_64 is already installed I've been running this a few hours already, seems to be working as designed. Also took liberty and installed x11-server x11-server-1.19.5-1.2 (even though it wasn't installed before). Installed without issue x86_64 working as designed with nvidia and xorg-Gnome.
CC: (none) => brtians1
on mga6-64 plasma packages installed cleanly: - x11-server-common-1.19.5-1.2.mga6.x86_64 - x11-server-xorg-1.19.5-1.2.mga6.x86_64 - x11-server-xwayland-1.19.5-1.2.mga6.x86_64 no regressions noted I do not play games or use plasma's desktop effects OK for me on mga6-64 on this system: Graphics: Card: Intel HD Graphics 530 Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: 1920x1080@60.00hz GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.3.9 Updated packages also OK on mga6-64 and mga6-32 vbox clients, both using plasma
CC: (none) => jim
Working ok on my systems. No others have reported problems, so validating.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0421.html
Status: NEW => RESOLVEDResolution: (none) => FIXED