31137 – libx11 new security issues CVE-2022-355[45]

Bug 31137 - libx11 new security issues CVE-2022-355[45]

Summary: libx11 new security issues CVE-2022-355[45]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-11-16 17:44 CET by David Walser
Modified:	2022-11-24 23:22 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	libx11-1.7.0-1.2.mga8.src.rpm
CVE:	CVE-2022-3554, CVE-2022-3555
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-16 17:44:34 CET

SUSE has issued an advisory on November 15:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012923.html

The issues are fixed upstream in 1.8.2:
https://lists.x.org/archives/xorg-announce/2022-November/003253.html

David Walser 2022-11-16 17:47:30 CET

Status comment: (none) => Fixed upstream in 1.8.2

Comment 1 David Walser 2022-11-16 18:15:45 CET

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPCKHK5VITSWJVYMQDZ642ZYBWJACES3/

Comment 2 Lewis Smith 2022-11-17 12:03:48 CET

DavidW has already put v1.8.2 into Cauldron.
Assigning to tv for Mageia 8, you seem to be the principle maintainer.

Assignee: bugsquad => thierry.vignaud

Comment 3 Nicolas Salguero 2022-11-22 15:05:13 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Memory leak in XRegisterIMInstantiateCallback(). (CVE-2022-3554)

Memory leak in _XFreeX11XCBStructure(). (CVE-2022-3555)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3555
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012923.html
https://lists.x.org/archives/xorg-announce/2022-November/003253.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TPCKHK5VITSWJVYMQDZ642ZYBWJACES3/
========================

Updated packages in core/updates_testing:
========================
lib(64)x11_6-1.7.0-1.3.mga8
lib(64)x11-devel-1.7.0-1.3.mga8
lib(64)x11-xcb1-1.7.0-1.3.mga8
libx11-common-1.7.0-1.3.mga8
libx11-doc-1.7.0-1.3.mga8

from SRPM:
libx11-1.7.0-1.3.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.8.2 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-3554, CVE-2022-3555
Assignee: thierry.vignaud => qa-bugs

Comment 4 Morgan Leijström 2022-11-23 12:16:35 CET

mga8-64 OK here
Plasma, VirtualBox host
nvidia-current and kernel from backports updates testing.

tests at https://bugs.mageia.org/show_bug.cgi?id=31149#c6

CC: (none) => fri

Comment 5 Herman Viaene 2022-11-23 14:32:30 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 29102 for testing.
Rebooted after installation, all looks well.
$ xview flipped.jpg 
flipped.jpg is a 903x988 JPEG image, color space YCbCr, 3 comps., Huffman coding
  Building XImage...done
Picture looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2022-11-23 16:34:01 CET

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-24 04:19:21 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-11-24 23:22:50 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.