X.org has issued an advisory today (October 25):
Thomas has already built an update with the fix...
Created attachment 10427 [details]
Screenshot of plasma panel
Issues in quick test on 64 bit, Plasma
a) in tiled desktop mode i moved program windows across screens, and everything froze except for mouse pointer.
Then i switched to a text console (Ctrl-Alt-F2), logged in, and checked journal - but dod not see anything that worried me. When i switched back desktop worked again, but
b) the Plasma panel at screen bottom have weird program text and clock. (see attached)
System: my worstation; 4k screen, nvidia proprietary driver.
Using all updates incl updates_testing, incl kernel desktop 4.14.78-1
I think i have seen a) some week ago so it may be an issue unrelated to this update. But b) i have never seen before.
I have a bash script that at DE login launches several applications with delay in between. I also have BOINC eating most of my CPU + GPU.
It seems that if i let all the applications launch before i go to tiled mode and toss them around to different desktops, everything is OK.
But if i go to tiled mode while they are launching, and also launches login popups for mail etc, then display gets frozen except mouse pointer, and if i shift to text screen Ctrl-Alt-F2 and back quickly now, screen got black + mouse hand pointer, and after some seconds desktop appeared, with a system tray popup something like kwin got restarted due to graphics problems. And then now it works OK, no text problems like in c 1.
Difference to c 1 is that now i was at text screen only a couple seconds.
In short i think this is not a big problem, but the bog gets trigged by the massive CPU and GPU load in combination with dragging windows between desktops in tiled mode on a 4k screen...
And it may be some other update at least in combination, as this system is fully updated to updates_testing.
I have not seen any other issue in a couple hours time surfing, textedit, video, screengrab.
Debian has issued an advisory for this on October 25:
Advisory, added to svn:
subject: Updated x11-server packages fix security vulnerability
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
check for -modulepath and -logfile options when starting Xorg. X server
allows unprivileged users with the ability to log in to the system via
physical console to escalate their privileges and run arbitrary code under
root privileges (CVE-2018-14665).
I've confirmed on x86_64 that the current
x11-server-xorg-1.19.5-1.1.mga6 in updates is vulnerable, and that the
upstream fix merged in x11-server-xorg-1.19.5-1.2.mga6 in
updates_testing blocks the exploit.
AMD Athlon(tm) II X3 450 Processor
GF108 [GeForce GT 730]
Desktop: Gnome X.org
# uname -a
Linux linux.local 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# urpmi x11-server
Package x11-server-1.19.5-1.2.mga6.x86_64 is already installed
I've been running this a few hours already, seems to be working as designed.
Also took liberty and installed x11-server x11-server-1.19.5-1.2 (even though it wasn't installed before). Installed without issue
x86_64 working as designed with nvidia and xorg-Gnome.
on mga6-64 plasma
packages installed cleanly:
no regressions noted
I do not play games or use plasma's desktop effects
OK for me on mga6-64 on this system:
Graphics: Card: Intel HD Graphics 530
Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: firstname.lastname@example.org
GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.3.9
Updated packages also OK on mga6-64 and mga6-32 vbox clients, both using plasma
Working ok on my systems. No others have reported problems, so validating.
An update for this issue has been pushed to the Mageia Updates repository.