Bug 1156015 (CVE-2019-5068)

Summary: VUL-1: CVE-2019-5068: Mesa: An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library. An attacker can access the shared memory without any specific permissions.
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz, sndirsch, thomas.leroy, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/246486/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-5068:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 0001-drisw-use-shared-memory-when-possible.patch

Description Wolfgang Frisch 2019-11-06 09:29:43 UTC 
CVE-2019-5068

An exploitable shared memory permissions vulnerability exists in the
functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the
shared memory without any specific permissions to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5068
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857
Comment 1 Stefan Dirsch 2019-11-06 11:19:51 UTC 
(In reply to Wolfgang Frisch from comment #0)
> CVE-2019-5068
> https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857
[...]
2019-10-09 - Vendor confirmed fix in progress
2019-10-21 - Vendor patched
[...]

Hmm. Although it is claimed that this would have been fixed by vendor, I couldn't find a fix for this in Mesa git master ...

--> git://anongit.freedesktop.org/git/mesa/mesa

Please let me know, once a patch is availabe. Thanks!
Comment 3 Wolfgang Frisch 2019-11-13 15:02:05 UTC 
There's a patch on the mesa-dev mailing list:
https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html
Comment 4 Stefan Dirsch 2019-11-13 16:11:38 UTC 
(In reply to Wolfgang Frisch from comment #3)
> There's a patch on the mesa-dev mailing list:
> https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html

Thanks! Seems only one person have seen it (but didn't/couldn't review it), since for many it went to spam folder due to DMARC failures. :-(
At least Brian Paul is the original Mesa author, so there's hope that it isn't fully ignored in the end ...
Comment 9 Swamp Workflow Management 2019-11-16 22:20:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1156015) was mentioned in
https://build.opensuse.org/request/show/749087 Factory / Mesa
Comment 10 Stefan Dirsch 2019-11-21 11:57:31 UTC 
Patch has been integrated in latest stable release of Mesa 19.2.5 and also to master git branch of course.

commit 023ddb01b59467180357f7e4f104219e4b533e23
Author: Brian Paul <brianp@vmware.com>
Date:   Wed Oct 9 12:05:16 2019 -0600

    Call shmget() with permission 0600 instead of 0777
    
    A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
    creating shared memory regions with permission mode 0777 could allow
    any user to access that memory.  Several Mesa drivers use shared-
    memory XImages to implement back buffers for improved performance.
    
    This path changes the shmget() calls to use 0600 (user r/w).
    
    Tested with legacy Xlib driver and llvmpipe.
    
    Cc: mesa-stable@lists.freedesktop.org
    Reviewed-by: Kristian H. Kristensen <hoegsberg@google.com>
    (cherry picked from commit 02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc)
Comment 11 Stefan Dirsch 2019-11-21 11:57:55 UTC 
So I'm going to apply this also to our released products.
Comment 12 Stefan Dirsch 2019-11-27 17:28:04 UTC 
Just submitted updated Mesa packages for sle10, sle11, sle12 and sle15.
Comment 15 Stefan Dirsch 2020-01-07 13:00:20 UTC 
Considered fixed. Reassigning to security team.
Comment 16 Swamp Workflow Management 2020-01-16 14:22:30 UTC 
SUSE-SU-2020:0111-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    Mesa-drivers-18.3.2-34.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    Mesa-18.3.2-34.9.1, Mesa-drivers-18.3.2-34.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    Mesa-18.3.2-34.9.1, Mesa-drivers-18.3.2-34.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-01-20 17:22:52 UTC 
SUSE-SU-2020:0132-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    Mesa-drivers-18.0.2-27.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    Mesa-18.0.2-27.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    Mesa-drivers-18.0.2-27.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    Mesa-18.0.2-27.6.1, Mesa-drivers-18.0.2-27.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-01-21 14:11:32 UTC 
SUSE-SU-2020:0145-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    Mesa-18.0.2-8.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-01-21 14:13:40 UTC 
openSUSE-SU-2020:0084-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
openSUSE Leap 15.1 (src):    Mesa-18.3.2-lp151.23.9.1, Mesa-drivers-18.3.2-lp151.23.9.1
Comment 20 Swamp Workflow Management 2020-01-21 14:16:26 UTC 
SUSE-SU-2020:0146-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2
SUSE Linux Enterprise Server 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-07-07 16:27:18 UTC 
SUSE-SU-2020:0111-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    Mesa-18.3.2-34.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Stefan Dirsch 2021-02-16 22:09:44 UTC 
Hmm. What's still missing? Can't this be closed meanwhile?
Comment 23 Wolfgang Frisch 2021-02-17 10:02:11 UTC 
(In reply to Stefan Dirsch from comment #22)
> Hmm. What's still missing? Can't this be closed meanwhile?

All submissions have been accepted, thanks!

The updates have been released except SLE-12-SP2 (LTSS), which is accepted but temporarily stopped [1], as it is VUL-1 only, and we usually accumulate low impact vulnerabilities for LTSS products to reduce QA work load.

We will keep the bug open until SLE-12-SP2 is released as well.

[1] https://build.suse.de/package/view_file/SUSE:Maintenance:13445/patchinfo/_patchinfo?expand=1
Comment 24 Stefan Dirsch 2021-02-17 10:35:22 UTC 
Thanks for explanation. Very much appreciated.
Comment 25 Swamp Workflow Management 2021-09-16 16:19:38 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:3117-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    Mesa-11.2.1-104.9.49
SUSE Linux Enterprise Server 12-SP2-BCL (src):    Mesa-11.2.1-104.9.49

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Stefan Dirsch 2022-10-25 11:29:52 UTC 
Isn't this done now? Or is SLES 12-SP2-BCL  different to SLE-12-SP2 (LTSS) ?
Comment 27 Stefan Dirsch 2022-12-07 15:39:25 UTC 
@wolfgang.frisch@suse.com ping ...
Comment 28 Thomas Leroy 2022-12-07 16:04:54 UTC 
(In reply to Stefan Dirsch from comment #27)
> @wolfgang.frisch@suse.com ping ...

Hi Stefan. Yes everything released now, thanks! Closing