X.org has issued an advisory today (May 18): https://lists.x.org/archives/xorg-announce/2021-May/003088.html A third party group issued their own advisory for the issue as well: https://www.openwall.com/lists/oss-security/2021/05/18/3 The issue is fixed upstream in 1.7.1: https://lists.x.org/archives/xorg-announce/2021-May/003089.html Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 1.7.1
Assigning to committer.
Assignee: bugsquad => pkg-bugsCC: (none) => ouaurelien, thierry.vignaudCVE: (none) => CVE-2021-31535
pushed in to mga 7/8/9 src: - libx11-1.6.12-1.1.mga7 - libx11-1.7.0-1.1.mga8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOCC: (none) => mageiaVersion: Cauldron => 8Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.7.1 => (none)
mga8, x64 Waiting for the package list but in the meantime followed up the link https://www.openwall.com/lists/oss-security/2021/05/18/3. There is an example of an exploit at: https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/ Before update: $ chmod +x enjoy-all-the-colors.py $ xhost - access control enabled, only authorized clients can connect $ xterm -e ./enjoy-all-the-colors.py xterm: warning, error event received: X Error of failed request: BadFont (invalid Font parameter) Major opcode of failed request: 48 (X_QueryTextExtents) Resource id in failed request: 0x54545454 Serial number of failed request: 579 Current serial number in output stream: 579 $ xhost access control disabled, clients can connect from any host INET:localhost SI:localuser:root SI:localuser:lcl
CC: (none) => tarazed25
Just testing it works: Mga8-64 OK, Everything updated to testing; i.e also the mesa and libdrm Bug 28949 And here: - lib64x11-xcb1-1.7.0-1.1.mga8.x86_64 - lib64x11_6-1.7.0-1.1.mga8.x86_64 Hardware: My workstation "svarten": Mainboard: Sabertooth P67, CPU: i7-3770, RAM 16G, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.
CC: (none) => fri
$ inxi -SGxx System: Host: mageia.local Kernel: 5.10.37-desktop-2.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 Graphics: Device-1: NVIDIA TU116 [GeForce GTX 1660 Ti] vendor: Gigabyte driver: nvidia v: 460.80 bus ID: 01:00.0 chip ID: 10de:2182 Display: x11 server: Mageia X.org 1.20.11 compositor: kwin_x11 driver: modesetting,nvidia,v4l resolution: 1: 1920x1080~60Hz 2: 1920x1080 s-dpi: 80 OpenGL: renderer: GeForce GTX 1660 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 460.80 direct render: Yes $ rpm -qa --last libx11-common-1.7.0-1.1.mga8.x86_64 jeu. 20 mai 2021 15:51:53 lib64x11-xcb1-1.7.0-1.1.mga8.x86_64 jeu. 20 mai 2021 15:51:52 lib64x11_6-1.7.0-1.1.mga8.x86_64 jeu. 20 mai 2021 15:51:52 This is updated OK. MGA8-64-OK for me. For packages list: Hum, http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28940 reports about Mageia 7 SRPM... strange.
libx11_6-1.6.12-1.1.mga7 libx11-xcb1-1.6.12-1.1.mga7 libx11-devel-1.6.12-1.1.mga7 libx11-common-1.6.12-1.1.mga7 libx11-doc-1.6.12-1.1.mga7 libx11_6-1.7.0-1.1.mga8 libx11-common-1.7.0-1.1.mga8 libx11-devel-1.7.0-1.1.mga8 libx11-xcb1-1.7.0-1.1.mga8 libx11-doc-1.7.0-1.1.mga8
mga7, x64 Before update: lib64x11_6-1.6.12-1.mga7 lib64x11-xcb1-1.6.12-1.mga7 lib64x11-devel-1.6.12-1.mga7 libx11-common-1.6.12-1.mga7 libx11-doc-1.6.12-1.mga7 PoC test, referenced in comment 3. $ xhost - access control enabled, only authorized clients can connect $ xterm -e ./enjoy-all-the-colors.py xterm: cannot load font "-Misc-Fixed-medium-R-*-*-15-140-75-75-C-180-ISO10646-1" xterm: warning, error event received: X Error of failed request: BadFont (invalid Font parameter) Major opcode of failed request: 48 (X_QueryTextExtents) Resource id in failed request: 0x54545454 Serial number of failed request: 563 Current serial number in output stream: 563 This launched an xterm with a blue background and then crashed. $ xhost access control disabled, clients can connect from any host INET:localhost SI:localuser:lcl Updated the packages. poctest: $ xhost - access control enabled, only authorized clients can connect $ xterm -e ./enjoy-all-the-colors.py xterm: cannot load font "-Misc-Fixed-medium-R-*-*-15-140-75-75-C-180-ISO10646-1" $ xhost access control enabled, only authorized clients can connect INET:localhost SI:localuser:lcl That confirms that the software is no longer vulnerable. `urpmq --whatrequires` lists over 1000 dependent packages and applications. $ xsysinfo -swap Graphical display of the varying load on the CPUs and after a while a load average. Used xplayer to view some videos. Ran a themed vlc under strace. $ grep X11 vlc.trace openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 12 Installed bitmap and ran it for a while, drawing simple figures and saving as a file. The trace did not show libx11 being used but libXt was opened successfully and that is one of the items in the dependency list. $ grep X11 bitmap.trace openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 3 Also libXt was opened successfully and that is one of the items in the dependency list. $ grep Xt bitmap.trace openat(AT_FDCWD, "/lib64/libXt.so.6", O_RDONLY|O_CLOEXEC) = 3 recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\6\0\0\4\6Xt\24\3 Ran glxgears under strace and that checks out. $ grep X11 mesa.trace openat(AT_FDCWD, "/lib64/libX11.so.6", O_RDONLY|O_CLOEXEC) = 3 [...] openat(AT_FDCWD, "/usr/lib64/libX11.so.6.3.0", O_RDONLY) = 4 openat(AT_FDCWD, "/lib64/libX11-xcb.so.1", O_RDONLY|O_CLOEXEC) = 4 This all looks good.
Just to finish this off for mga8. poctest: $ xhost - access control enabled, only authorized clients can connect $ xterm -e ./enjoy-all-the-colors.py $ xhost access control enabled, only authorized clients can connect INET:localhost SI:localuser:root SI:localuser:lcl Fix was successful.
(In reply to David Walser from comment #6) > libx11_6-1.6.12-1.1.mga7 > libx11-xcb1-1.6.12-1.1.mga7 > libx11-devel-1.6.12-1.1.mga7 > libx11-common-1.6.12-1.1.mga7 > libx11-doc-1.6.12-1.1.mga7 > libx11_6-1.7.0-1.1.mga8 > libx11-common-1.7.0-1.1.mga8 > libx11-devel-1.7.0-1.1.mga8 > libx11-xcb1-1.7.0-1.1.mga8 > libx11-doc-1.7.0-1.1.mga8 For my own information, how you obtain such list? I knew about http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28940 Do you have a better method, please share me? ;)
I load the build logs from http://pkgsubmit.mageia.org/ and jump to the end where it outputs the built RPMs, and run: awk -F/ '{print $NF}' - | awk -F. 'BEGIN{OFS="."}{NF=NF-2;print}' - in a terminal and paste in the list (then hit Ctrl-D) and it gives me what I want. For mga8 I have to manually filter out the *debug* ones since it's not sorting them correctly (those should be at the end).
Advisory: ======================== Updated libx11 packages fix a security vulnerability: XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server (CVE-2021-31535). References: - https://bugs.mageia.org/show_bug.cgi?id=28940 - https://lists.x.org/archives/xorg-announce/2021-May/003088.html - https://lists.x.org/archives/xorg-announce/2021-May/003089.html - https://www.openwall.com/lists/oss-security/2021/05/18/3 ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)x11_6-1.6.12-1.1.mga7 lib(64)x11-xcb1-1.6.12-1.1.mga7 lib(64)x11-devel-1.6.12-1.1.mga7 lib(64)x11-common-1.6.12-1.1.mga7 lib(64)x11-doc-1.6.12-1.1.mga7 from SRPM: libx11-1.6.12-1.1.mga7 ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)x11_6-1.7.0-1.1.mga8 lib(64)x11-common-1.7.0-1.1.mga8 lib(64)x11-devel-1.7.0-1.1.mga8 lib(64)x11-xcb1-1.7.0-1.1.mga8 lib(64)x11-doc-1.7.0-1.1.mga8 from SRPM: libx11-1.7.0-1.1.mga8
(In reply to David Walser from comment #10) > I load the build logs from http://pkgsubmit.mageia.org/ and jump to the end > where it outputs the built RPMs, and run: > awk -F/ '{print $NF}' - | awk -F. 'BEGIN{OFS="."}{NF=NF-2;print}' - > > in a terminal and paste in the list (then hit Ctrl-D) and it gives me what I > want. For mga8 I have to manually filter out the *debug* ones since it's > not sorting them correctly (those should be at the end). Thanks! Writing this in my head ;)
Another option is using urpmf, such as $ urpmf --sourcerpm --media "Core Updates Testing" libx11 lib64x11-xcb1:libx11-1.7.0-1.1.mga8.src.rpm lib64x11-devel:libx11-1.7.0-1.1.mga8.src.rpm lib64x11_6:libx11-1.7.0-1.1.mga8.src.rpm libx11-doc:libx11-1.7.0-1.1.mga8.src.rpm libx11-common:libx11-1.7.0-1.1.mga8.src.rpm $ urpmf --sourcerpm --media "Core 32bit Updates Testing" libx11 libx11-xcb1:libx11-1.7.0-1.1.mga8.src.rpm libx11-common:libx11-1.7.0-1.1.mga8.src.rpm libx11-devel:libx11-1.7.0-1.1.mga8.src.rpm libx11_6:libx11-1.7.0-1.1.mga8.src.rpm libx11-doc:libx11-1.7.0-1.1.mga8.src.rpm
CC: (none) => davidwhodgins
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0219.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Debian has issued an advisory for this on May 24: https://www.debian.org/security/2021/dsa-4920