Bug 1156015 – VUL-1: CVE-2019-5068: Mesa: An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library. An attacker can access the shared memory without any specific permissions.

Bug 1156015 - (CVE-2019-5068) VUL-1: CVE-2019-5068: Mesa: An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library. An attacker can access the shared memory without any specific permissions.

(CVE-2019-5068)
Summary:	VUL-1: CVE-2019-5068: Mesa: An exploitable shared memory permissions vulnerab...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/246486/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-5068:5.1:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-11-06 09:29 UTC by Wolfgang Frisch
Modified:	2022-12-07 16:04 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
0001-drisw-use-shared-memory-when-possible.patch (4.77 KB, patch) 2019-11-14 14:07 UTC, Stefan Dirsch	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-11-06 09:29:43 UTC

CVE-2019-5068

An exploitable shared memory permissions vulnerability exists in the
functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the
shared memory without any specific permissions to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5068
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857

Comment 1 Stefan Dirsch 2019-11-06 11:19:51 UTC

(In reply to Wolfgang Frisch from comment #0)
> CVE-2019-5068
> https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857
[...]
2019-10-09 - Vendor confirmed fix in progress
2019-10-21 - Vendor patched
[...]

Hmm. Although it is claimed that this would have been fixed by vendor, I couldn't find a fix for this in Mesa git master ...

--> git://anongit.freedesktop.org/git/mesa/mesa

Please let me know, once a patch is availabe. Thanks!

Comment 3 Wolfgang Frisch 2019-11-13 15:02:05 UTC

There's a patch on the mesa-dev mailing list:
https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html

Comment 4 Stefan Dirsch 2019-11-13 16:11:38 UTC

(In reply to Wolfgang Frisch from comment #3)
> There's a patch on the mesa-dev mailing list:
> https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html

Thanks! Seems only one person have seen it (but didn't/couldn't review it), since for many it went to spam folder due to DMARC failures. :-(
At least Brian Paul is the original Mesa author, so there's hope that it isn't fully ignored in the end ...

Comment 9 Swamp Workflow Management 2019-11-16 22:20:05 UTC

This is an autogenerated message for OBS integration:
This bug (1156015) was mentioned in
https://build.opensuse.org/request/show/749087 Factory / Mesa

Comment 10 Stefan Dirsch 2019-11-21 11:57:31 UTC

Patch has been integrated in latest stable release of Mesa 19.2.5 and also to master git branch of course.

commit 023ddb01b59467180357f7e4f104219e4b533e23
Author: Brian Paul <brianp@vmware.com>
Date:   Wed Oct 9 12:05:16 2019 -0600

    Call shmget() with permission 0600 instead of 0777
    
    A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
    creating shared memory regions with permission mode 0777 could allow
    any user to access that memory.  Several Mesa drivers use shared-
    memory XImages to implement back buffers for improved performance.
    
    This path changes the shmget() calls to use 0600 (user r/w).
    
    Tested with legacy Xlib driver and llvmpipe.
    
    Cc: mesa-stable@lists.freedesktop.org
    Reviewed-by: Kristian H. Kristensen <hoegsberg@google.com>
    (cherry picked from commit 02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc)

Comment 11 Stefan Dirsch 2019-11-21 11:57:55 UTC

So I'm going to apply this also to our released products.

Comment 12 Stefan Dirsch 2019-11-27 17:28:04 UTC

Just submitted updated Mesa packages for sle10, sle11, sle12 and sle15.

Comment 15 Stefan Dirsch 2020-01-07 13:00:20 UTC

Considered fixed. Reassigning to security team.

Comment 16 Swamp Workflow Management 2020-01-16 14:22:30 UTC

SUSE-SU-2020:0111-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    Mesa-drivers-18.3.2-34.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    Mesa-18.3.2-34.9.1, Mesa-drivers-18.3.2-34.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    Mesa-18.3.2-34.9.1, Mesa-drivers-18.3.2-34.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-01-20 17:22:52 UTC

SUSE-SU-2020:0132-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    Mesa-drivers-18.0.2-27.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    Mesa-18.0.2-27.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    Mesa-drivers-18.0.2-27.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    Mesa-18.0.2-27.6.1, Mesa-drivers-18.0.2-27.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2020-01-21 14:11:32 UTC

SUSE-SU-2020:0145-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    Mesa-18.0.2-8.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    Mesa-18.0.2-8.3.2, Mesa-drivers-18.0.2-8.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2020-01-21 14:13:40 UTC

openSUSE-SU-2020:0084-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
openSUSE Leap 15.1 (src):    Mesa-18.3.2-lp151.23.9.1, Mesa-drivers-18.3.2-lp151.23.9.1

Comment 20 Swamp Workflow Management 2020-01-21 14:16:26 UTC

SUSE-SU-2020:0146-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2
SUSE Linux Enterprise Server 12-SP5 (src):    Mesa-18.3.2-14.3.2, Mesa-drivers-18.3.2-14.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2020-07-07 16:27:18 UTC

SUSE-SU-2020:0111-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    Mesa-18.3.2-34.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Stefan Dirsch 2021-02-16 22:09:44 UTC

Hmm. What's still missing? Can't this be closed meanwhile?

Comment 23 Wolfgang Frisch 2021-02-17 10:02:11 UTC

(In reply to Stefan Dirsch from comment #22)
> Hmm. What's still missing? Can't this be closed meanwhile?

All submissions have been accepted, thanks!

The updates have been released except SLE-12-SP2 (LTSS), which is accepted but temporarily stopped [1], as it is VUL-1 only, and we usually accumulate low impact vulnerabilities for LTSS products to reduce QA work load.

We will keep the bug open until SLE-12-SP2 is released as well.

[1] https://build.suse.de/package/view_file/SUSE:Maintenance:13445/patchinfo/_patchinfo?expand=1

Comment 24 Stefan Dirsch 2021-02-17 10:35:22 UTC

Thanks for explanation. Very much appreciated.

Comment 25 Swamp Workflow Management 2021-09-16 16:19:38 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:3117-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1156015
CVE References: CVE-2019-5068
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    Mesa-11.2.1-104.9.49
SUSE Linux Enterprise Server 12-SP2-BCL (src):    Mesa-11.2.1-104.9.49

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Stefan Dirsch 2022-10-25 11:29:52 UTC

Isn't this done now? Or is SLES 12-SP2-BCL  different to SLE-12-SP2 (LTSS) ?

Comment 27 Stefan Dirsch 2022-12-07 15:39:25 UTC

@wolfgang.frisch@suse.com ping ...

Comment 28 Thomas Leroy 2022-12-07 16:04:54 UTC

(In reply to Stefan Dirsch from comment #27)
> @wolfgang.frisch@suse.com ping ...

Hi Stefan. Yes everything released now, thanks! Closing