Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2023/12/13/1 Mageia 9 is also affected.
Source RPM: (none) => x11-server, x11-server-xwaylandStatus comment: (none) => Fixed upstream in xorg-server-21.1.10 and xwayland-23.2.3Whiteboard: (none) => MGA9TOO
Ubuntu has issued an advisory yesterday (December 13): https://ubuntu.com/security/notices/USN-6555-1
Different packagers update these SRPMs, so assigning globally. CC'ing a few (ns80 already included) who have touched them recently.
CC: (none) => ghibomgx, thierry.vignaudAssignee: bugsquad => pkg-bugs
Once x11-server is completely built and uploaded, tigervnc will need to be rebuilt because it includes, at build time, the code from the package x11-server-source.
Summary: x11-server, x11-server-xwayland new security issues CVE-2023-6377 and CVE-2023-6478 => x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-6377 and CVE-2023-6478Source RPM: x11-server, x11-server-xwayland => x11-server, x11-server-xwayland, tigervnc
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved. (CVE-2023-6377) A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information. (CVE-2023-6478) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6377 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6478 https://www.openwall.com/lists/oss-security/2023/12/13/1 https://ubuntu.com/security/notices/USN-6555-1 ======================== Updated packages in core/updates_testing: ======================== x11-server-21.1.8-7.2.mga9 x11-server-common-21.1.8-7.2.mga9 x11-server-devel-21.1.8-7.2.mga9 x11-server-source-21.1.8-7.2.mga9 x11-server-xephyr-21.1.8-7.2.mga9 x11-server-xnest-21.1.8-7.2.mga9 x11-server-xorg-21.1.8-7.2.mga9 x11-server-xvfb-21.1.8-7.2.mga9 x11-server-xwayland-22.1.9-1.2.mga9 x11-server-xwayland-devel-22.1.9-1.2.mga9 tigervnc-1.13.1-2.2.mga9 tigervnc-java-1.13.1-2.2.mga9 tigervnc-server-1.13.1-2.2.mga9 tigervnc-server-module-1.13.1-2.2.mga9 from SRPMS: x11-server-21.1.8-7.2.mga9.src.rpm x11-server-xwayland-22.1.9-1.2.mga9.src.rpm tigervnc-1.13.1-2.2.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in xorg-server-21.1.10 and xwayland-23.2.3 => (none)
CC: (none) => mageia
mga9-64 x11-server OK here: Plasma X11, nvidia470, backport kernel 6.5.13-2 Tested various desktop apps, suspend/resume, vt switching, VirtualBox client with MSW7 running firefox with internet video. --- CC Marja for advisory
CC: (none) => fri, marja11
CVE: (none) => CVE-2023-6377, CVE-2023-6478
Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
I've spent hours using this on Plasma (x11) and Xfce systems. Both are AMD APU's. No issues with this service update. This works as expected.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #7) > I've spent hours using this on Plasma (x11) and Xfce systems. Both are AMD > APU's. No issues with this service update. > > This works as expected. Note this is for x11-server. I have not worked on tigervnc yet.
Tigervns server and client test. Running from client to server testing this. - Configured server and user account password using vncpasswd - run x server from command prompt $ x0vncserver -passwordfile ~/.vnc/passwd on run vncclient passing in ip it does work, but not my favorite tool
Whiteboard: (none) => MGA9-64-OK
Thank you Brian Before OKing i think we want more tests reports on X11, it being so fundamental for systems. And X11 tests on 32 bit.
MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, radeon RV200 graphics, using kernel-desktop. No installation issues, and no obvious issues to report after a reboot.
CC: (none) => andrewsfarm
MGA9-64, Plasma, Nvidia 535 (1050) The following 3 packages are going to be installed: - x11-server-common-21.1.8-7.2.mga9.x86_64 - x11-server-xorg-21.1.8-7.2.mga9.x86_64 - x11-server-xwayland-22.1.9-1.2.mga9.x86_64 -- rebooted display working as expected.
MGA9-64 Plasma, i5-7500, nvidia-current (Quadro K620) No obvious issues to report.
Same hardware as comment 11, different install, using the desktop586 kernel. Again, no obvious issues to report.
MGA9-64 Plasma, AMD Phenom II X4 910, AMD HD 8490 graphics. Once again, no issues to report. Giving this a 32-bit OK, and validating.
CC: (none) => sysadmin-bugsWhiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0009.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED