Bug 30855 - wayland new security issue CVE-2021-3782
Summary: wayland new security issue CVE-2021-3782
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-16 19:02 CEST by David Walser
Modified: 2022-11-13 03:26 CET (History)
8 users (show)

See Also:
Source RPM: wayland-1.18.0-3.mga8.src.rpm
CVE: CVE-2021-3782
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-16 19:02:33 CEST 
Ubuntu has issued an advisory on September 15:
https://ubuntu.com/security/notices/USN-5614-1

The issue is fixed upstream in 1.20.91.
Comment 1 Marja Van Waes 2022-09-17 13:31:27 CEST 
Assigning to the registered wayland maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-10-19 13:48:34 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time. (CVE-2021-3782)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3782
https://ubuntu.com/security/notices/USN-5614-1
========================

Updated packages in core/updates_testing:
========================
lib(64)wayland-client0-1.18.0-3.1.mga8
lib(64)wayland-cursor0-1.18.0-3.1.mga8
lib(64)wayland-devel-1.18.0-3.1.mga8
lib(64)wayland-egl1-1.18.0-3.1.mga8
lib(64)wayland-server0-1.18.0-3.1.mga8
wayland-doc-1.18.0-3.1.mga8
wayland-tools-1.18.0-3.1.mga8

from SRPM:
wayland-1.18.0-3.1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-3782
Assignee: mageia => qa-bugs

Comment 3 Brian Rockwell 2022-10-20 21:57:27 CEST 
GNOME, MGA8-64, laptop, A6


The following 4 packages are going to be installed:

- lib64wayland-client0-1.18.0-3.1.mga8.x86_64
- lib64wayland-cursor0-1.18.0-3.1.mga8.x86_64
- lib64wayland-egl1-1.18.0-3.1.mga8.x86_64
- lib64wayland-server0-1.18.0-3.1.mga8.x86_64

4.3KB of additional disk space will be used.


-- rebooted and confirmed set to standard GNOME option

system is behaving as expected.

CC: (none) => brtians1

Comment 4 Brian Rockwell 2022-10-22 16:27:30 CEST 
GNOME, Vbox, 64bit

The following 9 packages are going to be installed:

- lib64ffi-devel-3.3-2.mga8.x86_64
- lib64wayland-client0-1.18.0-3.1.mga8.x86_64
- lib64wayland-cursor0-1.18.0-3.1.mga8.x86_64
- lib64wayland-devel-1.18.0-3.1.mga8.x86_64
- lib64wayland-egl1-1.18.0-3.1.mga8.x86_64
- lib64wayland-server0-1.18.0-3.1.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- wayland-doc-1.18.0-3.1.mga8.noarch
- wayland-tools-1.18.0-3.1.mga8.x86_64

1.2MB of additional disk space will be used.


- rebooted
- confirmed using GNOME standard


rendering as I would expect.
Comment 5 Herman Viaene 2022-10-25 15:27:19 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Rebooted after installation, everything seems to work, but most applications (Firefox and caja, LO, parole e.a.) get a thick black outer border. I found only Videos application to have a thin border as usual.
I cann't see this system is actually running wayland????

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2022-10-25 15:30:30 CEST 
HI Herman,
I've seen this before.  Check if High Contrast got enabled in Mate.
Comment 7 Herman Viaene 2022-10-25 15:47:08 CEST 
@Brian,
You mean the Appearance setting: the theme active (by default, I didn't change it) is Custom, and it  refers to Menta, and nowhere in the Controls etc... is High Contrast selected.
Comment 8 Ulrich Beckmann 2022-11-08 16:20:16 CET 
Tested KDE Plasma Wayland on a Sony Vaio E Series laptop with AMD/ATI graphics.

[root@mga8-tst2 ~]# lspci -nnk | grep -iA3 vga
01:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Thames [Radeon HD 7550M/7570M/7650M] [1002:6841]
        Subsystem: Sony Corporation Device [104d:90ac]
        Kernel driver in use: radeon
        Kernel modules: radeon

No regression found.

Ulrich

CC: (none) => bequimao.de

Comment 9 Thomas Andrews 2022-11-12 18:00:07 CET 
Giving this an OK based on tests by Brian and Ulrich, as well as Herman's comment that "everything seems to work."

Herman, I am completely unfamiliar with either MATE or Wayland, but a bit of research indicates that the mga8 version of MATE is 1.24.x. It is my understanding that there was only partial support for Wayland in that version, with much more in the 1.26.x version in Cauldron. 

Therefore, I am thinking that a bit of what sounds like a cosmetic issue in MATE 1.24 can be discounted for the purposes of this update. If any of that is in error, someone please correct me.

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-13 00:24:57 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2022-11-13 03:26:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0418.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.