Bug 23757 - x11-server new security issue CVE-2018-14665
Summary: x11-server new security issue CVE-2018-14665
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-26 01:40 CEST by David Walser
Modified: 2018-10-27 11:46 CEST (History)
6 users (show)

See Also:
Source RPM: x11-server-1.19.5-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments
Screenshot of plasma panel (63.36 KB, image/png)
2018-10-26 04:29 CEST, Morgan Leijström
Details

Description David Walser 2018-10-26 01:40:13 CEST
X.org has issued an advisory today (October 25):
https://www.openwall.com/lists/oss-security/2018/10/25/1

Thomas has already built an update with the fix...

x11-server-1.19.5-1.2.mga6
x11-server-common-1.19.5-1.2.mga6
x11-server-xorg-1.19.5-1.2.mga6
x11-server-xnest-1.19.5-1.2.mga6
x11-server-xdmx-1.19.5-1.2.mga6
x11-server-xvfb-1.19.5-1.2.mga6
x11-server-xephyr-1.19.5-1.2.mga6
x11-server-xfake-1.19.5-1.2.mga6
x11-server-xfbdev-1.19.5-1.2.mga6
x11-server-xwayland-1.19.5-1.2.mga6
x11-server-devel-1.19.5-1.2.mga6
x11-server-source-1.19.5-1.2.mga6

from x11-server-1.19.5-1.2.mga6.src.rpm
Comment 1 Morgan Leijström 2018-10-26 04:29:54 CEST
Created attachment 10427 [details]
Screenshot of plasma panel

Issues in quick test on 64 bit, Plasma

a) in tiled desktop mode i moved program windows across screens, and everything froze except for mouse pointer.

Then i switched to a text console (Ctrl-Alt-F2), logged in, and checked journal - but dod not see anything that worried me.  When i switched back desktop worked again, but 

b) the Plasma panel at screen bottom have weird program text and clock. (see attached)



System: my worstation; 4k screen, nvidia proprietary driver.
Using all updates incl updates_testing, incl kernel desktop 4.14.78-1

I think i have seen a) some week ago so it may be an issue unrelated to this update.  But b) i have never seen before.

CC: (none) => fri

Comment 2 Morgan Leijström 2018-10-26 18:37:16 CEST
Further testing:

I have a bash script that at DE login launches several applications with delay in between.  I also have BOINC eating most of my CPU + GPU.

It seems that if i let all the applications launch before i go to tiled mode and toss them around to different desktops, everything is OK.

But if i go to tiled mode while they are launching, and also launches login popups for mail etc, then display gets frozen except mouse pointer, and  if i shift to text screen Ctrl-Alt-F2 and back quickly now, screen got black + mouse hand pointer, and after some seconds desktop appeared, with a system tray popup something like kwin got restarted due to graphics problems.  And then now it works OK, no text problems like in c 1.

Difference to c 1 is that now i was at text screen only a couple seconds.

In short i think this is not a big problem, but the bog gets trigged by the massive CPU and GPU load in combination with dragging windows between desktops in tiled mode on a 4k screen...

And it may be some other update at least in combination, as this system is fully updated to updates_testing.

I have not seen any other issue in a couple hours time surfing, textedit, video, screengrab.
Comment 3 David Walser 2018-10-26 18:49:07 CEST
Debian has issued an advisory for this on October 25:
https://www.debian.org/security/2018/dsa-4328
Thomas Backlund 2018-10-26 20:20:24 CEST

Priority: Normal => High
Assignee: tmb => qa-bugs
Severity: normal => critical

Comment 4 Thomas Backlund 2018-10-26 21:33:22 CEST
Advisory, added to svn:

type: security
subject: Updated x11-server packages fix security vulnerability
CVE:
 - CVE-2018-14665
src:
  6:
   core:
     - x11-server-1.19.5-1.2.mga6
description: |
  A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
  check for -modulepath and -logfile options when starting Xorg. X server
  allows unprivileged users with the ability to log in to the system via
  physical console to escalate their privileges and run arbitrary code under
  root privileges (CVE-2018-14665).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23757
 - https://www.openwall.com/lists/oss-security/2018/10/25/1

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Thomas Backlund 2018-10-26 21:40:42 CEST
I've confirmed on x86_64 that the current
x11-server-xorg-1.19.5-1.1.mga6 in updates is vulnerable, and that the
upstream fix merged in x11-server-xorg-1.19.5-1.2.mga6 in
updates_testing blocks the exploit.
Comment 6 Brian Rockwell 2018-10-26 23:55:37 CEST
Physical Hardware
AMD Athlon(tm) II X3 450 Processor
GF108 [GeForce GT 730]

Desktop: Gnome X.org

# uname -a
Linux linux.local 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux




# urpmi x11-server
Package x11-server-1.19.5-1.2.mga6.x86_64 is already installed

I've been running this a few hours already, seems to be working as designed.

Also took liberty and installed x11-server x11-server-1.19.5-1.2 (even though it wasn't installed before).  Installed without issue

x86_64 working as designed with nvidia and xorg-Gnome.

CC: (none) => brtians1

Comment 7 James Kerr 2018-10-27 10:59:01 CEST
on mga6-64  plasma

packages installed cleanly:
- x11-server-common-1.19.5-1.2.mga6.x86_64
- x11-server-xorg-1.19.5-1.2.mga6.x86_64
- x11-server-xwayland-1.19.5-1.2.mga6.x86_64

no regressions noted
I do not play games or use plasma's desktop effects

OK for me on mga6-64 on this system:

Graphics:  Card: Intel HD Graphics 530
           Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: 1920x1080@60.00hz
           GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.3.9



Updated packages also OK on mga6-64 and mga6-32 vbox clients, both using plasma

CC: (none) => jim

Comment 8 Dave Hodgins 2018-10-27 11:11:53 CEST
Working ok on my systems. No others have reported problems, so validating.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2018-10-27 11:46:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0421.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.