32747 – x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89]

Bug 32747 - x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89]

Summary: x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-681...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-01-19 11:51 CET by Nicolas Salguero
Modified:	2024-02-04 03:51 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	x11-server, x11-server-xwayland, tigervnc
CVE:	CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, CVE-2024-0408, CVE-2024-0409
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-19 11:51:43 CET

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/01/18/1

Mageia 9 is also affected.

Nicolas Salguero 2024-01-19 11:52:39 CET

Source RPM: (none) => x11-server, x11-server-xwayland, tigervnc
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886, CVE-2024-0408, CVE-2024-0409

Comment 1 Lewis Smith 2024-01-22 11:39:39 CET

The announcement makes no mention of tigervnc nor tiger nor vnc, so eliminating that from the original bug title & SRPMs.

It starts
"Issues in X.Org X server prior to  21.1.11 and Xwayland prior to 23.2.4"
and
"Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.11 and xwayland-23.2.4."
and includes
"CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and
ProcXIQueryPointer
Introduced in: xorg-server-1.13.0 (2012)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4"
and
"CVE-2024-0409: SELinux context corruption
Introduced in: xorg-server-1.16.0 (2014)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4"

ns80 (who raised this bug, so should see this comment) is the most recent packager to deal with these SRPMs, so would normally assign to him; also tv, CC'ing him.
Assigning globally by default.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Source RPM: x11-server, x11-server-xwayland, tigervnc => x11-server, x11-server-xwayland
CC: (none) => thierry.vignaud
Summary: x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89] => x11-server, x11-server-xwayland new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89]

Comment 2 David Walser 2024-01-22 15:00:43 CET

Tigervnc needs to be rebuilt pretty much any time the x11-server source is changed.

Comment 3 Nicolas Salguero 2024-01-22 15:43:23 CET

Slackware has issued an advisory for those CVEs in tigervnc:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.374309

Summary: x11-server, x11-server-xwayland new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89] => x11-server, x11-server-xwayland and tigervnc new security issues CVE-2023-6816, CVE-2024-0229, CVE-2024-2188[56] and CVE-2024-040[89]
Source RPM: x11-server, x11-server-xwayland => x11-server, x11-server-xwayland, tigervnc

Comment 4 Nicolas Salguero 2024-01-26 16:55:40 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer. (CVE-2023-6816)

Reattaching to different master device may lead to out-of-bounds memory access. (CVE-2024-0229)

Heap buffer overflow in XISendDeviceHierarchyEvent. (CVE-2024-21885)

Heap buffer overflow in DisableDevice. (CVE-2024-21886)

SELinux unlabeled GLX PBuffer. (CVE-2024-0408)

SELinux context corruption. (CVE-2024-0409)

References:
https://www.openwall.com/lists/oss-security/2024/01/18/1
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.374309
========================

Updated packages in core/updates_testing:
========================
x11-server-21.1.8-7.3.mga9
x11-server-common-21.1.8-7.3.mga9
x11-server-devel-21.1.8-7.3.mga9
x11-server-source-21.1.8-7.3.mga9
x11-server-xephyr-21.1.8-7.3.mga9
x11-server-xnest-21.1.8-7.3.mga9
x11-server-xorg-21.1.8-7.3.mga9
x11-server-xvfb-21.1.8-7.3.mga9

x11-server-xwayland-22.1.9-1.3.mga9
x11-server-xwayland-devel-22.1.9-1.3.mga9

tigervnc-1.13.1-2.3.mga9
tigervnc-java-1.13.1-2.3.mga9
tigervnc-server-1.13.1-2.3.mga9
tigervnc-server-module-1.13.1-2.3.mga9

from SRPMS:
x11-server-21.1.8-7.3.mga9.src.rpm
x11-server-xwayland-22.1.9-1.3.mga9.src.rpm
tigervnc-1.13.1-2.3.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 => (none)
Assignee: pkg-bugs => qa-bugs

PC LX 2024-01-26 19:02:03 CET

CC: (none) => mageia

Comment 5 Morgan Leijström 2024-01-26 20:46:13 CET

mga9-64 OK here

Updated installed packages to
- x11-server-common-21.1.8-7.3.mga9.x86_64
- x11-server-xephyr-21.1.8-7.3.mga9.x86_64
- x11-server-xorg-21.1.8-7.3.mga9.x86_64
- x11-server-xwayland-22.1.9-1.3.mga9.x86_64

Using kernel-linus-6.5.13-2.mga9.x86_64, and mesa and nvidia-newfeature testing updates.

OK: Plasma X11, various desktop apps, video, MSW7 guest in VirtualBox 7.0.14.

I will during some days test with other nvidia driver flavours and upcoming kernel 6.6.x, report back any problem if I find it related.


$ inxi -G
Graphics:
  Device-1: NVIDIA GM107 [GeForce GTX 750] driver: nvidia v: 545.29.06
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: modesetting,nvidia,v4l gpu: nvidia resolution: 3840x2160~60Hz
  API: OpenGL v: 4.6.0 NVIDIA 545.29.06 renderer: NVIDIA GeForce GTX
    750/PCIe/SSE2

CC: (none) => fri

Comment 6 katnatek 2024-01-26 21:52:52 CET

Real hardware mageia 9 x86_64 
 Packages installed x11-server-common-21.1.8-7.3.mga9.x86_64.rpm x11-server-xwayland-22.1.9-1.3.mga9.x86_64.rpm x11-server-xorg-21.1.8-7.3.mga9.x86_64.rpm

Tested lxqt session OK
Tested Plasma wayland OK

Comment 7 Morgan Leijström 2024-01-28 11:20:14 CET

mga9-64 OK on Dell precision M6300

also in use: new mesa Bug 32759, and kernels desktop-6.6.14-1 and linus-6.6.14-1 Bug 32786 

Plasma X11, Firefox video, suspend-resume

$ inxi -G
Graphics:
  Device-1: NVIDIA G84GLM [Quadro FX 1600M] driver: nouveau v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: modesetting,v4l dri: nouveau gpu: nouveau resolution: 1920x1200~60Hz
  API: OpenGL v: 3.3 Mesa 23.3.3 renderer: NV84

Comment 8 Morgan Leijström 2024-01-28 13:01:31 CET

mga9-64 OK on Acer Aspire7 
Also in use: new mesa, Bug 32759, and kernel desktop-6.6.14-1 Bug 32786 

Plasma X11, Firefox video, suspend-resume, hibernate-resume

$ inxi -G
Graphics:
  Device-1: Intel HD Graphics 630 driver: i915 v: kernel
  Device-2: NVIDIA GP107M [GeForce GTX 1050 Mobile] driver: nouveau
    v: kernel
  Device-3: Chicony Integrated HD WebCam type: USB driver: uvcvideo
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: intel,v4l dri: i965 gpu: i915 resolution: 1920x1080~60Hz
  API: OpenGL v: 4.6 Mesa 23.3.3 renderer: Mesa Intel HD Graphics 630 (KBL
    GT2)

Comment 9 Morgan Leijström 2024-01-29 00:15:29 CET

mga9-64 OK Lenovo Thinkpad T510

Also in use: new mesa Bug 32759

Tested before and after update to kernel desktop-6.6.14-1 Bug 32786 

Plasma X11, Desktop apps, Firefox internet video, suspend-resume

Comment 10 Marja Van Waes 2024-01-29 10:40:25 CET

Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 11 PC LX 2024-01-31 12:58:48 CET

Installed and tested without issues.

Tested using Plasma DE desktop and a bunch of applications.


System: Mageia 9, x86_64, Plasma DE, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz, Intel iGPU Xeon E3-1200 using i915 driver.


$ uname -a
Linux marte 6.6.14-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 27 01:13:53 UTC 2024 x86_64 GNU/Linux
$ lspcidrake | grep VGA
Card:Intel 810 and later: Intel Corporation|Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller [DISPLAY_VGA] (rev: 06)
$ rpm -qa | grep x11-server | sort
x11-server-common-21.1.8-7.3.mga9
x11-server-xorg-21.1.8-7.3.mga9
x11-server-xwayland-22.1.9-1.3.mga9

Comment 12 PC LX 2024-01-31 13:00:57 CET

Installed and tested without issues.

Tested using Plasma DE desktop and a bunch of applications.


System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics the amdgpu driver.


$ uname -a
Linux jupiter 6.6.14-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 27 01:13:53 UTC 2024 x86_64 GNU/Linux
$ lspcidrake | grep VGA
Card:ATI Volcanic Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Cezanne [Radeon Vega Series / Radeon Vega Mobile Series] [DISPLAY_VGA] (rev: c9)
Card:AMD Southern Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Navi 24 [Radeon RX 6400/6500 XT/6500M] [DISPLAY_VGA] (rev: c1)
$ rpm -qa | grep x11-server
x11-server-common-21.1.8-7.3.mga9
x11-server-xorg-21.1.8-7.3.mga9
x11-server-xwayland-22.1.9-1.3.mga9

Comment 13 PC LX 2024-01-31 13:08:43 CET

Installed tigervnc and tested without issues.

Tested using Plasma DE desktop and a bunch of applications.
Tested the vncserver with multiple clients: vncviewer, VncViewer.jar and KRDC.

The VNC server was run on the system described in comment 11.
The VNC clients were run on the system described in comment 12.

# System VNC server
$ rpm -qa | grep tigervnc
tigervnc-server-1.13.1-2.3.mga9

# System VNC client
$ rpm -qa | grep tigervnc
tigervnc-1.13.1-2.3.mga9
tigervnc-java-1.13.1-2.3.mga9
$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.13.1 (20240126)
Built on 2024-01-26 at 15:14:13
Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host localhost port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updates
$ vncviewer 

TigerVNC Viewer v1.13.1
Built on: 2024-01-26 15:10
Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Wed Jan 31 11:52:36 2024
 DecodeManager: Detected 12 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       Conectado ao host localhost porta 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)
 CVeNCrypt:   Choosing security type TLSVnc (258)

Wed Jan 31 11:52:40 2024
 CConn:       Usando formato de pixel depth 24 (32bpp) little-endian rgb888
 CConnection: Enabling continuous updates

Wed Jan 31 11:52:42 2024
 DecodeManager:     raw: 2 rects, 322 pixels
 DecodeManager:          1,28125 KiB (1:1 ratio)
 DecodeManager:     Tight: 143 rects, 3,82535 Mpixels
 DecodeManager:            1,40837 MiB (1:10,3625 ratio)
 DecodeManager:   Total: 145 rects, 3,82568 Mpixels
 DecodeManager:          1,40962 MiB (1:10,3542 ratio)

Comment 14 PC LX 2024-01-31 13:09:48 CET

Forgot to say that the tests in comment 13 were using a ssh tunnel.

Comment 15 katnatek 2024-01-31 15:29:00 CET

Tested in real hardware mageia 9 i586 lxqt
Update without issue
Reboot and start session without issue

rpm -qa | grep x11-server
x11-server-common-21.1.8-7.3.mga9
x11-server-xwayland-22.1.9-1.3.mga9
x11-server-xorg-21.1.8-7.3.mga9

katnatek 2024-01-31 15:31:36 CET

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK

Comment 16 katnatek 2024-01-31 15:35:00 CET

I let to Thomas validate this

Comment 17 Thomas Andrews 2024-01-31 16:10:26 CET

MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, using the 32-bit desktop kernel. No issues here, either, confirming the 32-bit OK.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2024-02-04 03:51:28 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0022.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.