Mageia Bugzilla – Bug 6744
x11-server new security issue CVE-2012-2118
Last modified: 2012-10-20 17:24:38 CEST
Gentoo has issued an advisory on July 9:
Based on the version in the advisory, it appears Mageia 2 isn't affected (but we should double check just in case Gentoo patched it).
RedHat has links to the upstream commits to fix this:
Looking closer at the RedHat bug, they classified this as not a bug, given that they compile with FORTIFY_SOURCE. I just checked, and we do as well.
I also looked at the code in Mageia 2, and the changes haven't been made there, so to whatever degree this is a legitimate concern, it applies there as well.
Ubuntu has issued an advisory for this on July 11:
They alluded to the same thing about the compiler options, but they issued the update anyway.
Looks like we possibly missed updates for CVE-2010-4818 and CVE-2010-4819:
LWN reference for CVE-2010-4818 and CVE-2010-4819:
I re-diffed Ubuntu's patch for CVE-2012-2118 and checked it into SVN for Mageia 1 and Mageia 2. The version of Cauldron has it fixed upstream.
I still need to look into CVE-2010-4818 and CVE-2010-4819.
Our versions aren't vulnerable to CVE-2010-4818 and CVE-2010-4819.
Patched packages uploaded for Mageia 1 and Mageia 2.
This fixes a format string vulnerability in the LogVHdrMessageVerb function
in os/log.c when handling input device names in X.Org X11 server
(CVE-2012-2118). Mageia is not vulnerable to arbitrary code execution via
this vulnerability because of the compiler options that were used to build
it, but it can still cause a crash.
Updated packages in core/updates_testing:
using http://patchwork.freedesktop.org/patch/10001/ for testing:
naming mobile '%n%n%n' and paired it via bluetooth as input device causing X11-server to crash. After updating X11-server it does not crash when paring with mobile.
Tested successfully on mga2 x86_64
Tested successfully with same procedure on mga2 i586
Unfortunately, I don't have any input device that I can name to test the fix. At least I can say that my MGA 1 32 bits system still works well with the update.
I can't reproduce the crash for mga1 (both x86_64, i586) neither with package from Core/Updates nor from Testing/Updates. However as Samuel reported for i586 everything works well with tested packages for both archs.
Please use advisory from Comment 7.
Could sysadmin push the packages to Core/updates? Thanks.