Bug 31732 - x11-server, x11-server-xwayland new security issue CVE-2023-1393
Summary: x11-server, x11-server-xwayland new security issue CVE-2023-1393
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 31523
Blocks:
  Show dependency treegraph
 
Reported: 2023-03-30 20:06 CEST by David Walser
Modified: 2023-04-11 21:03 CEST (History)
8 users (show)

See Also:
Source RPM: x11-server-1.20.14-4.2.mga8.src.rpm, tigervnc-1.11.0-4.2.mga8.src.rpm
CVE: CVE-2023-1393
Status comment:


Attachments

Description David Walser 2023-03-30 20:06:13 CEST
X.org has issued an advisory on March 29:
https://lists.x.org/archives/xorg-announce/2023-March/003374.html

The issue is fixed upstream in x11-server 21.1.8 and xwayland 22.1.9:
https://lists.x.org/archives/xorg-announce/2023-March/003377.html
https://lists.x.org/archives/xorg-announce/2023-March/003375.html

Mageia 8 is also affected.
David Walser 2023-03-30 20:06:37 CEST

Depends on: (none) => 31523
Status comment: (none) => Fixed upstream in x11-server 21.1.8 and xwayland 22.1.9
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-03-30 22:42:56 CEST
Debian and Ubuntu have issued advisories for this on March 29:
https://www.debian.org/security/2023/dsa-5380
https://ubuntu.com/security/notices/USN-5986-1
Comment 2 David Walser 2023-03-30 23:48:05 CEST
Fedora has issued an advisory for this today (March 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CB62PUAZRE2ZK6PDX6OZ2WSYXDJGBGTS/
Comment 3 Marja Van Waes 2023-04-02 11:02:38 CEST
Assigning to the registered maintainer of x11-server and x11-server-xwayland

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11

Comment 4 Nicolas Salguero 2023-04-04 12:08:53 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. (CVE-2023-1393)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1393
https://lists.x.org/archives/xorg-announce/2023-March/003374.html
https://www.debian.org/security/2023/dsa-5380
https://ubuntu.com/security/notices/USN-5986-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CB62PUAZRE2ZK6PDX6OZ2WSYXDJGBGTS/
========================

Updated packages in core/updates_testing:
========================
x11-server-1.20.14-4.3.mga8
x11-server-common-1.20.14-4.3.mga8
x11-server-devel-1.20.14-4.3.mga8
x11-server-source-1.20.14-4.3.mga8
x11-server-xdmx-1.20.14-4.3.mga8
x11-server-xephyr-1.20.14-4.3.mga8
x11-server-xnest-1.20.14-4.3.mga8
x11-server-xorg-1.20.14-4.3.mga8
x11-server-xvfb-1.20.14-4.3.mga8
x11-server-xwayland-1.20.14-4.3.mga8

from SRPM:
x11-server-1.20.14-4.3.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2023-1393
Status comment: Fixed upstream in x11-server 21.1.8 and xwayland 22.1.9 => (none)
Source RPM: x11-server-21.1.7-1.mga9.src.rpm, x11-server-xwayland-22.1.8-1.mga9.src.rpm => x11-server-1.20.14-4.2.mga8.src.rpm
Version: Cauldron => 8
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)

Comment 5 David Walser 2023-04-04 21:11:24 CEST
Apparently tigervnc is also affected, yet again.  Nicolas, can we take care of this one too?
https://access.redhat.com/errata/RHSA-2023:1592
Comment 6 Morgan Leijström 2023-04-04 22:38:36 CEST
mga8-64 test OK with Plasma, nvidia-current

Installed rebooted, normal operation
Video in browser and as picture-in-picture.
VirtualBox running MSW7 guest.

CPU: i7-3770
GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display
Mainboard: Sabertooth P67

CC: (none) => fri

Comment 7 David Walser 2023-04-05 03:04:56 CEST
(In reply to David Walser from comment #5)
> Apparently tigervnc is also affected, yet again.  Nicolas, can we take care
> of this one too?
> https://access.redhat.com/errata/RHSA-2023:1592

Fedora advisory for tigervnc:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SW2NRC3V53PIBXFPFBVWCOM2MDDILWQS/
Comment 8 Nicolas Salguero 2023-04-05 10:12:13 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. (CVE-2023-1393)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1393
https://lists.x.org/archives/xorg-announce/2023-March/003374.html
https://www.debian.org/security/2023/dsa-5380
https://ubuntu.com/security/notices/USN-5986-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CB62PUAZRE2ZK6PDX6OZ2WSYXDJGBGTS/
https://access.redhat.com/errata/RHSA-2023:1592
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SW2NRC3V53PIBXFPFBVWCOM2MDDILWQS/
========================

Updated packages in core/updates_testing:
========================
x11-server-1.20.14-4.3.mga8
x11-server-common-1.20.14-4.3.mga8
x11-server-devel-1.20.14-4.3.mga8
x11-server-source-1.20.14-4.3.mga8
x11-server-xdmx-1.20.14-4.3.mga8
x11-server-xephyr-1.20.14-4.3.mga8
x11-server-xnest-1.20.14-4.3.mga8
x11-server-xorg-1.20.14-4.3.mga8
x11-server-xvfb-1.20.14-4.3.mga8
x11-server-xwayland-1.20.14-4.3.mga8

tigervnc-1.11.0-4.3.mga8
tigervnc-java-1.11.0-4.3.mga8
tigervnc-server-1.11.0-4.3.mga8
tigervnc-server-module-1.11.0-4.3.mga8

from SRPMS:
x11-server-1.20.14-4.3.mga8.src.rpm
tigervnc-1.11.0-4.3.mga8.src.rpm
Nicolas Salguero 2023-04-05 10:12:29 CEST

Source RPM: x11-server-1.20.14-4.2.mga8.src.rpm => x11-server-1.20.14-4.2.mga8.src.rpm, tigervnc-1.11.0-4.2.mga8.src.rpm

Comment 9 Brian Rockwell 2023-04-05 16:46:43 CEST
MGA7-64 - Phys Hardware - AMD x3, 730GT, Plasma 

The following 3 packages are going to be installed:

- x11-server-common-1.20.14-4.3.mga8.x86_64
- x11-server-xorg-1.20.14-4.3.mga8.x86_64
- x11-server-xwayland-1.20.14-4.3.mga8.x86_64

616B of additional disk space will be used


--- rebooted

I've spent about an hour running different apps on the machine.  No apparent graphics issues on this box.

working for me in plasma.

TigerVNC - that requires me use a separate "safe" instance to test on.

CC: (none) => brtians1

Comment 10 Brian Rockwell 2023-04-05 18:14:31 CEST
MGA8-64, Cinnamon, AMD x3, 730GT

installed same x11 server components

Attempted TigerVNC server

Everything installed fine.  TigerVNC - configuration challenges, but seems to run when triggered through systemctl.

Works for me.
PC LX 2023-04-07 21:40:22 CEST

CC: (none) => mageia

Comment 11 Brian Rockwell 2023-04-07 22:38:24 CEST
VBOx plasma

I am installing all of the X11 pieces, excluding tigervnc

The following 51 packages are going to be installed:

- lib64bsd-devel-0.10.0-2.mga8.x86_64
- lib64bz2-devel-1.0.8-2.mga8.x86_64
- lib64dri-drivers-21.3.9-1.mga8.x86_64
- lib64drm-devel-2.4.107-3.mga8.x86_64
- lib64expat-devel-2.2.10-1.mga8.x86_64
- lib64fontenc-devel-1.1.4-2.mga8.x86_64
- lib64freetype2-devel-2.10.4-2.mga8.x86_64
- lib64glapi-devel-21.3.9-1.mga8.x86_64
- lib64glapi0-21.3.9-1.mga8.x86_64
- lib64glesv1_cm1-1.3.2-16.mga8.x86_64
- lib64glvnd-devel-1.3.2-16.mga8.x86_64
- lib64kms1-2.4.107-3.mga8.x86_64
- lib64mesagl-devel-21.3.9-1.mga8.x86_64
- lib64mesagl1-21.3.9-1.mga8.x86_64
- lib64mesakhr-devel-21.3.9-1.mga8.x86_64
- lib64mesavulkan-drivers-21.3.9-1.mga8.x86_64
- lib64pciaccess-devel-0.16-2.mga8.x86_64
- lib64pixman-devel-0.40.0-1.mga8.x86_64
- lib64png-devel-1.6.37-2.mga8.x86_64
- lib64x11-devel-1.7.0-1.2.mga8.x86_64
- lib64xau-devel-1.0.9-2.mga8.x86_64
- lib64xcb-devel-1.14-1.mga8.x86_64
- lib64xcb-screensaver0-1.14-1.mga8.x86_64
- lib64xcb-xf86dri0-1.14-1.mga8.x86_64
- lib64xcb-xtest0-1.14-1.mga8.x86_64
- lib64xcb-xvmc0-1.14-1.mga8.x86_64
- lib64xdmcp-devel-1.1.3-2.mga8.x86_64
- lib64xext-devel-1.3.4-2.mga8.x86_64
- lib64xfixes-devel-5.0.3-3.mga8.x86_64
- lib64xfont2-devel-2.0.4-2.mga8.x86_64
- lib64xkbfile-devel-1.1.0-2.mga8.x86_64
- lib64xshmfence-devel-1.3-3.mga8.x86_64
- lib64xxf86vm-devel-1.1.4-4.mga8.x86_64
- lib64zlib-devel-1.2.11-9.mga8.x86_64
- libpthread-stubs-0.4-3.mga8.x86_64
- libstdc++-devel-10.3.0-2.mga8.x86_64
- libstdc++-python-devel-10.3.0-2.mga8.x86_64
- mesa-21.3.9-1.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- valgrind-devel-3.16.1-10.mga8.x86_64
- x11-proto-devel-2020.1-2.mga8.noarch
- x11-server-1.20.14-4.3.mga8.x86_64
- x11-server-common-1.20.14-4.3.mga8.x86_64
- x11-server-devel-1.20.14-4.3.mga8.x86_64
- x11-server-source-1.20.14-4.3.mga8.noarch
- x11-server-xdmx-1.20.14-4.3.mga8.x86_64
- x11-server-xephyr-1.20.14-4.3.mga8.x86_64
- x11-server-xnest-1.20.14-4.3.mga8.x86_64
- x11-server-xorg-1.20.14-4.3.mga8.x86_64
- x11-server-xvfb-1.20.14-4.3.mga8.x86_64
- x11-server-xwayland-1.20.14-4.3.mga8.x86_64

60MB of additional disk space will be used.

Everything installed and the system is working.  Note, I'm running this on Vbox running an MGA8 host that is also running the X11 updates.  Seems to be working for me.
Brian Rockwell 2023-04-07 22:39:39 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 12 Brian Rockwell 2023-04-07 23:53:34 CEST
MGA8-32, vbox, mate

- x11-server-1.20.14-4.3.mga8.i586
- x11-server-common-1.20.14-4.3.mga8.i586
- x11-server-xdmx-1.20.14-4.3.mga8.i586
- x11-server-xnest-1.20.14-4.3.mga8.i586
- x11-server-xorg-1.20.14-4.3.mga8.i586
- x11-server-xvfb-1.20.14-4.3.mga8.i586
- x11-server-xwayland-1.20.14-4.3.mga8.i586

-- rebooted

tested with video (youtube).

working as expected.
Comment 13 Thomas Andrews 2023-04-08 14:36:54 CEST
Validating. Advisory in comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-04-11 00:43:49 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 14 Mageia Robot 2023-04-11 21:03:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0131.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.