32015 – libx11 new security issue CVE-2023-3138

Bug 32015 - libx11 new security issue CVE-2023-3138

Summary: libx11 new security issue CVE-2023-3138

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-06-15 22:38 CEST by David Walser
Modified:	2023-06-28 07:23 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	libx11-1.7.0-1.3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-15 22:38:59 CEST

X.org has issued an advisory today (June 15):
https://lists.x.org/archives/xorg-announce/2023-June/003406.html

The issue is fixed upstream in 1.8.6:
https://lists.x.org/archives/xorg-announce/2023-June/003407.html

Mageia 8 is also affected.

David Walser 2023-06-15 22:39:27 CEST

Status comment: (none) => Fixed upstream in 1.8.6
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-06-16 14:15:07 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Buffer overflows in InitExt.c in libX11 prior to 1.8.6. (CVE-2023-3138)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3138
https://lists.x.org/archives/xorg-announce/2023-June/003406.html
https://lists.x.org/archives/xorg-announce/2023-June/003407.html
========================

Updated packages in core/updates_testing:
========================
lib(64)x11_6-1.7.0-1.4.mga8
lib(64)x11-devel-1.7.0-1.4.mga8
lib(64)x11-xcb1-1.7.0-1.4.mga8
libx11-common-1.7.0-1.4.mga8
libx11-doc-1.7.0-1.4.mga8

from SRPM:
libx11-1.7.0-1.4.mga8.src.rpm

Status comment: Fixed upstream in 1.8.6 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Source RPM: libx11-1.8.4-1.mga9.src.rpm => libx11-1.7.0-1.3.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 2 Len Lawrence 2023-06-19 16:37:28 CEST

mga8, x86_64
These updated cleanly.
libx11 applications are everywhere.   The list on this system runs to 975 items.
Started an empty session in ardour and logged out - graphics seemed OK.
Ran zenity against the built-in commands; calendar, question, entry, file-selection.  All work as expected. 
Tried xplayer on MP4 and MKV files - audio and video perfect.  Used xviewer to view an image folder.

No regressions noted.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 David Walser 2023-06-20 15:13:33 CEST

Ubuntu has issued an advisory for this on June 15:
https://ubuntu.com/security/notices/USN-6168-1

Comment 4 Thomas Andrews 2023-06-20 16:36:18 CEST

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:48:18 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-06-28 07:23:05 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0206.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.