X.org has issued an advisory today (December 1): https://lists.x.org/archives/xorg-announce/2020-December/003066.html The issues are fixed upstream in 1.20.10: https://lists.x.org/archives/xorg-announce/2020-December/003067.html
Ubuntu has issued an advisory for this on December 1: https://ubuntu.com/security/notices/USN-4656-1
CC: (none) => thierry.vignaudSeverity: normal => major
Fedora has issued an advisory for this today (December 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NULSZT4JH6WPRE73VQI4A42OU32HKTH/
Yeah, I wanted the 1.20.10 to run in cauldron for some days to see if there would be some problems... I think I'll go with 1.20.10 for this fix as there also are other fixes in there...
I was going to backport 1.20.10, I'll let you handle it if you're already on top of it
(In reply to Thierry Vignaud from comment #4) > I was going to backport 1.20.10, I'll let you handle it if you're already on > top of it Nah, just go ahead if you have time... I have not touched it yet. I still need to find time for a vbox and nvidia-current fixup for Mga7
I've submitted x11-server-1.20.10-1.1.mga7 for it
Source RPM: x11-server-1.20.9-1.mga7.src.rpm => x11-server-1.20.10-1.1.mga7
Thanks. The update shouldn't have a subrel though. (it's -2 in mga8 so we'll let it slide this time. PS - don't change the srpm field in bugzilla, it's for the version the bug is reported against, not the version of the update candidate)
Source RPM: x11-server-1.20.10-1.1.mga7 => x11-server-1.20.9-1.mga7.src.rpm
I prefer to always have subrel in order to be sure next commiter has a chance to do the right thing in wase we need a further fix… :-) "belt and suspenders"
Never add subrels when upgrading to new versions. (it's ugly and it often will make the version-release higher than Cauldron)
Advisory: ======================== Updated x11-server packages fix security vulnerabilities: A flaw was found in the X.Org Server. An out-of-bounds access in the XkbSetMap function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-14360). A flaw was found in xorg-x11-server. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-25712). The x11-server package has been updated to version 1.20.10, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712 https://lists.x.org/archives/xorg-announce/2020-December/003066.html https://lists.x.org/archives/xorg-announce/2020-December/003067.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6NULSZT4JH6WPRE73VQI4A42OU32HKTH/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.20.10-1.1.mga7 x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xnest-1.20.10-1.1.mga7 x11-server-xdmx-1.20.10-1.1.mga7 x11-server-xvfb-1.20.10-1.1.mga7 x11-server-xephyr-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 x11-server-devel-1.20.10-1.1.mga7 x11-server-source-1.20.10-1.1.mga7 from x11-server-1.20.10-1.1.mga7.src.rpm
Assignee: tmb => qa-bugsCC: (none) => tmb
Installed and tested without issues. No issues with desktop applications and 3D applications and games. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GT 1030 GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 $ lspci | grep VGA 04:00.0 VGA compatible controller: NVIDIA Corporation GP108 [GeForce GT 1030] (rev a1) $ cat /proc/driver/nvidia/version NVRM version: NVIDIA UNIX x86_64 Kernel Module 430.64 Sun Oct 27 11:26:12 UTC 2019 GCC version: gcc version 8.4.0 (Mageia 8.4.0-1.mga7)
CC: (none) => mageia
Installed and tested on a QEMU/KVM guest system. Tested on normal desktop and 3D applications (e.g. glmark2). No issues found. Guest system: Mageia 7, x86_64, LXQt DE, virtio drivers. Host system: see comment 11. $ uname -a Linux marte-vm-mageia-7 5.9.12-desktop-1.mga7 #1 SMP Wed Dec 2 09:05:37 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort x11-server-common-1.20.10-1.1.mga7 x11-server-xorg-1.20.10-1.1.mga7 x11-server-xwayland-1.20.10-1.1.mga7 $ lspci | grep VGA 00:02.0 VGA compatible controller: Red Hat, Inc. Virtio GPU (rev 01)
No issues with 1) M7.1 Plasma under X11-session with nvidia-current drivers. 2) M7.1 Gnome under X11-session with nvidia-current drivers. 3) M7.1 Gnome wayland-session with Intel gfx. xwayland apps (Firefox) are OK. MCC launches very well. Also same under Virtual-Machines.
CC: (none) => ouaurelien
No issue since two days. Daily usage is OK. SDDM works as usual. See Comment 13. Validating update. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCVE: (none) => CVE-2020-14360, CVE-2020-25712Whiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0456.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED