Bug 6744 - x11-server new security issue CVE-2012-2118
: x11-server new security issue CVE-2012-2118
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Low Severity: minor
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506204/
: MGA1TOO, has_procedure, MGA2-64-OK, M...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-11 00:58 CEST by David Walser
Modified: 2012-10-20 17:24 CEST (History)
5 users (show)

See Also:
Source RPM: x11-server-1.10.1-1.1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-07-11 00:58:52 CEST
Gentoo has issued an advisory on July 9:
http://www.gentoo.org/security/en/glsa/glsa-201207-04.xml

Based on the version in the advisory, it appears Mageia 2 isn't affected (but we should double check just in case Gentoo patched it).

RedHat has links to the upstream commits to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=814126
Comment 1 David Walser 2012-07-11 23:57:00 CEST
Looking closer at the RedHat bug, they classified this as not a bug, given that they compile with FORTIFY_SOURCE.  I just checked, and we do as well.

I also looked at the code in Mageia 2, and the changes haven't been made there, so to whatever degree this is a legitimate concern, it applies there as well.
Comment 2 David Walser 2012-07-12 20:29:22 CEST
Ubuntu has issued an advisory for this on July 11:
http://www.ubuntu.com/usn/usn-1502-1/

They alluded to the same thing about the compiler options, but they issued the update anyway.
Comment 4 David Walser 2012-08-08 21:57:00 CEST
LWN reference for CVE-2010-4818 and CVE-2010-4819:
http://lwn.net/Vulnerabilities/462113/
Comment 5 David Walser 2012-10-16 21:49:26 CEST
I re-diffed Ubuntu's patch for CVE-2012-2118 and checked it into SVN for Mageia 1 and Mageia 2.  The version of Cauldron has it fixed upstream.

I still need to look into CVE-2010-4818 and CVE-2010-4819.
Comment 6 David Walser 2012-10-17 13:57:03 CEST
Our versions aren't vulnerable to CVE-2010-4818 and CVE-2010-4819.
Comment 7 David Walser 2012-10-17 14:22:09 CEST
Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

This fixes a format string vulnerability in the LogVHdrMessageVerb function
in os/log.c when handling input device names in X.Org X11 server
(CVE-2012-2118).  Mageia is not vulnerable to arbitrary code execution via
this vulnerability because of the compiler options that were used to build
it, but it can still cause a crash.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2118
http://www.ubuntu.com/usn/usn-1502-1/
========================

Updated packages in core/updates_testing:
========================
x11-server-1.10.1-1.2.mga1
x11-server-devel-1.10.1-1.2.mga1
x11-server-common-1.10.1-1.2.mga1
x11-server-xorg-1.10.1-1.2.mga1
x11-server-xdmx-1.10.1-1.2.mga1
x11-server-xnest-1.10.1-1.2.mga1
x11-server-xvfb-1.10.1-1.2.mga1
x11-server-xephyr-1.10.1-1.2.mga1
x11-server-xfake-1.10.1-1.2.mga1
x11-server-xfbdev-1.10.1-1.2.mga1
x11-server-source-1.10.1-1.2.mga1
x11-server-1.11.4-2.1.mga2
x11-server-devel-1.11.4-2.1.mga2
x11-server-common-1.11.4-2.1.mga2
x11-server-xorg-1.11.4-2.1.mga2
x11-server-xdmx-1.11.4-2.1.mga2
x11-server-xnest-1.11.4-2.1.mga2
x11-server-xvfb-1.11.4-2.1.mga2
x11-server-xephyr-1.11.4-2.1.mga2
x11-server-xfake-1.11.4-2.1.mga2
x11-server-xfbdev-1.11.4-2.1.mga2
x11-server-source-1.11.4-2.1.mga2

from SRPMS:
x11-server-1.10.1-1.2.mga1.src.rpm
x11-server-1.11.4-2.1.mga2.src.rpm
Comment 8 Marc Lattemann 2012-10-18 00:50:29 CEST
using http://patchwork.freedesktop.org/patch/10001/ for testing:
naming mobile '%n%n%n' and paired it via bluetooth as input device causing X11-server to crash. After updating X11-server it does not crash when paring with mobile.
Tested successfully on mga2 x86_64
Comment 9 Marc Lattemann 2012-10-18 01:06:12 CEST
Tested successfully with same procedure on mga2 i586
Comment 10 Samuel Verschelde 2012-10-18 21:21:41 CEST
Unfortunately, I don't have any input device that I can name to test the fix. At least I can say that my MGA 1 32 bits system still works well with the update.
Comment 11 Marc Lattemann 2012-10-19 00:36:21 CEST
I can't reproduce the crash for mga1 (both x86_64, i586) neither with package from Core/Updates nor from Testing/Updates. However as Samuel reported for i586 everything works well with tested packages for both archs.

validate updates.

Please use advisory from Comment 7.

Could sysadmin push the packages to Core/updates? Thanks.
Comment 12 Thomas Backlund 2012-10-20 17:24:38 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0299

Note You need to log in before you can comment on or make changes to this bug.