Gentoo has issued an advisory on July 9: http://www.gentoo.org/security/en/glsa/glsa-201207-04.xml Based on the version in the advisory, it appears Mageia 2 isn't affected (but we should double check just in case Gentoo patched it). RedHat has links to the upstream commits to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=814126
CC: (none) => thierry.vignaud
CC: (none) => dmorganec
Looking closer at the RedHat bug, they classified this as not a bug, given that they compile with FORTIFY_SOURCE. I just checked, and we do as well. I also looked at the code in Mageia 2, and the changes haven't been made there, so to whatever degree this is a legitimate concern, it applies there as well.
Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
Ubuntu has issued an advisory for this on July 11: http://www.ubuntu.com/usn/usn-1502-1/ They alluded to the same thing about the compiler options, but they issued the update anyway.
Looks like we possibly missed updates for CVE-2010-4818 and CVE-2010-4819: https://rhn.redhat.com/errata/RHSA-2011-1359.html http://security-tracker.debian.org/tracker/CVE-2010-4818 http://security-tracker.debian.org/tracker/CVE-2010-4819 http://lists.opensuse.org/opensuse-updates/2012-02/msg00062.html http://www.ubuntu.com/usn/usn-1232-1/ http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4818.html http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4819.html
LWN reference for CVE-2010-4818 and CVE-2010-4819: http://lwn.net/Vulnerabilities/462113/
CC: (none) => oe
I re-diffed Ubuntu's patch for CVE-2012-2118 and checked it into SVN for Mageia 1 and Mageia 2. The version of Cauldron has it fixed upstream. I still need to look into CVE-2010-4818 and CVE-2010-4819.
Our versions aren't vulnerable to CVE-2010-4818 and CVE-2010-4819.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Patched packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== This fixes a format string vulnerability in the LogVHdrMessageVerb function in os/log.c when handling input device names in X.Org X11 server (CVE-2012-2118). Mageia is not vulnerable to arbitrary code execution via this vulnerability because of the compiler options that were used to build it, but it can still cause a crash. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2118 http://www.ubuntu.com/usn/usn-1502-1/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.10.1-1.2.mga1 x11-server-devel-1.10.1-1.2.mga1 x11-server-common-1.10.1-1.2.mga1 x11-server-xorg-1.10.1-1.2.mga1 x11-server-xdmx-1.10.1-1.2.mga1 x11-server-xnest-1.10.1-1.2.mga1 x11-server-xvfb-1.10.1-1.2.mga1 x11-server-xephyr-1.10.1-1.2.mga1 x11-server-xfake-1.10.1-1.2.mga1 x11-server-xfbdev-1.10.1-1.2.mga1 x11-server-source-1.10.1-1.2.mga1 x11-server-1.11.4-2.1.mga2 x11-server-devel-1.11.4-2.1.mga2 x11-server-common-1.11.4-2.1.mga2 x11-server-xorg-1.11.4-2.1.mga2 x11-server-xdmx-1.11.4-2.1.mga2 x11-server-xnest-1.11.4-2.1.mga2 x11-server-xvfb-1.11.4-2.1.mga2 x11-server-xephyr-1.11.4-2.1.mga2 x11-server-xfake-1.11.4-2.1.mga2 x11-server-xfbdev-1.11.4-2.1.mga2 x11-server-source-1.11.4-2.1.mga2 from SRPMS: x11-server-1.10.1-1.2.mga1.src.rpm x11-server-1.11.4-2.1.mga2.src.rpm
Priority: Normal => LowAssignee: bugsquad => qa-bugsSeverity: normal => minor
using http://patchwork.freedesktop.org/patch/10001/ for testing: naming mobile '%n%n%n' and paired it via bluetooth as input device causing X11-server to crash. After updating X11-server it does not crash when paring with mobile. Tested successfully on mga2 x86_64
CC: (none) => marc.lattemannWhiteboard: MGA1TOO => MGA1TOO, MGA2-OK-64
CC: marc.lattemann => (none)Whiteboard: MGA1TOO, MGA2-OK-64 => MGA1TOO, MGA2-64-OK
Tested successfully with same procedure on mga2 i586
CC: (none) => marc.lattemannWhiteboard: MGA1TOO, MGA2-64-OK => MGA1TOO, MGA2-64-OK, MGA2-32-OK
Whiteboard: MGA1TOO, MGA2-64-OK, MGA2-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK
Unfortunately, I don't have any input device that I can name to test the fix. At least I can say that my MGA 1 32 bits system still works well with the update.
Whiteboard: MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK
I can't reproduce the crash for mga1 (both x86_64, i586) neither with package from Core/Updates nor from Testing/Updates. However as Samuel reported for i586 everything works well with tested packages for both archs. validate updates. Please use advisory from Comment 7. Could sysadmin push the packages to Core/updates? Thanks.
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugsWhiteboard: MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK => MGA1TOO, has_procedure, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0299
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED