9790 – x11-server new security issue CVE-2013-1940

Bug 9790 - x11-server new security issue CVE-2013-1940

Summary: x11-server new security issue CVE-2013-1940

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/547768/
Whiteboard:	MGA2-32-OK mga2-64-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-04-18 21:29 CEST by David Walser
Modified:	2013-05-09 12:37 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	x11-server-1.11.4-2.1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-04-18 21:29:02 CEST

Debian and Ubuntu have issued advisories on April 17:
http://www.debian.org/security/2013/dsa-2661
http://www.ubuntu.com/usn/usn-1803-1/

Thomas Backlund fixed it in Cauldron yesterday with x11-server-1.13.4-1.mga3.

Patched package uploaded for Mageia 2.

Patched added in Mageia 1 SVN.

Advisory:
========================

Updated x11-server packages fix security vulnerability:

It was discovered that the X.Org X server did not properly clear input
events in certain circumstances. A local attacker with physical access
could use this flaw to capture keystrokes (CVE-2013-1940).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940
http://www.ubuntu.com/usn/usn-1803-1/
========================

Updated packages in core/updates_testing:
========================
x11-server-1.11.4-2.2.mga2
x11-server-devel-1.11.4-2.2.mga2
x11-server-common-1.11.4-2.2.mga2
x11-server-xorg-1.11.4-2.2.mga2
x11-server-xdmx-1.11.4-2.2.mga2
x11-server-xnest-1.11.4-2.2.mga2
x11-server-xvfb-1.11.4-2.2.mga2
x11-server-xephyr-1.11.4-2.2.mga2
x11-server-xfake-1.11.4-2.2.mga2
x11-server-xfbdev-1.11.4-2.2.mga2
x11-server-source-1.11.4-2.2.mga2

from x11-server-1.11.4-2.2.mga2.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 Dave Hodgins 2013-04-25 21:38:13 CEST

POC https://bugs.freedesktop.org/show_bug.cgi?id=63353

CC: (none) => davidwhodgins

Comment 2 Bill Wilkinson 2013-04-30 17:33:06 CEST

Testing MGA2-32.  Unable to reproduce bug under switch conditions with KDE. The PoC used gnome, which won't allow user switching without GDM as display manager.

Tested general use, all OK.  Tried switching again, still no pw in the text editor of first account.

CC: (none) => wrw105
Whiteboard: (none) => MGA2-32-OK

Comment 3 claire robinson 2013-05-07 12:57:57 CEST

Testing complete mga2 64

All tty's still ok, syslog still on tty12, KDM/KDE ok. Rebooted ok.


Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-05-09 12:37:54 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0140

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.