Debian has issued an advisory today (November 5): https://www.debian.org/security/2020/dsa-4783 The issue is fixed upstream in 0.19.0. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
More information: https://www.openwall.com/lists/oss-security/2020/11/04/2
Fixed both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated sddm package fixes security vulnerability: Fabian Vogt discovered a flaw in sddm before 0.19.0. A local attacker can take advantage of a race condition when creating the Xauthority file to escalate privileges (CVE-2020-28049). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28049 https://www.debian.org/security/2020/dsa-4783 ======================== Updated packages in core/updates_testing: ======================== sddm-0.18.1-3.1.mga7 from sddm-0.18.1-3.1.mga7.src.rpm
Assignee: kde => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Testing this on M7 Plasma x86_64 and Cauldron. Package updated successfully. Reboot get proper X GUI to log in. Plasma X session is OK. MGA7-64-OK Validating this. Advisory pushed to SVN.
Whiteboard: (none) => MGA7-64-OKCC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
CVE: (none) => CVE-2020-28049Source RPM: sddm-0.18.1-4.mga8.src.rpm => sddm-0.18.1-3.mga7.src.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0412.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED