From https://lists.x.org/archives/xorg-announce/2023-October/003430.html: """ Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 ===================================================================== Multiple issues have been found in the X.Org X server implementation published by X.Org for which we are releasing security fixes for in xorg-server-21.1.9 and xwayland-23.2.2. The first issue (CVE-2023-5367) can be triggered by prepending to an input device property or randr property. The second issue (CVE-2023-5380) can be triggered by warping a pointer across screens in legacy multi-head setups and destroying specific client windows. Note that Xwayland is not affected by this issue. The third issue (CVE-2023-5574) can be triggered in Xvfb during cleanup of the ScreenRec, either at server shutdown or when the last client disconnects. Note that this issue has not been fixed in a release yet due to some issues with the proposed fixes. ---------------------------------------------------------------------------- 1) CVE-2023-5367 X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty Introduced in: xorg-server-1.7.0 (2009) and xorg-server-1.4.0 (2007), respectively Fixed in: xorg-server-21.1.9 and xwayland-23.2.2 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy() would write into memory outside the heap-allocated array. For example, prepending 3 values to an existing 5 value property results in an allocated array of size 8, but the existing 5 values would be written at indices 5 through to 10. Indices 3 and 4 were left uninitialized, but due to a separate bug the resulting property only had a client-visible length of 3 values and the uninitialized memory data was never visibile to the client. xorg-server-21.1.9 and xwayland-23.2.2 have been patched to fix the offset calculation and the length calculation of the property. 2) CVE-2023-5380: Use-after-free bug in DestroyWindow Introduced in: xorg-server-1.7.0 (2009) Fixed in: xorg-server-21.1.9 Found by: Sri working with Trend Micro Zero Day Initiative Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed. This bug can be triggered only under very specific conditions, in particular it requires an XWarpPointer call and that the pointer never enters a client window on the other screen. xorg-server-21.1.9 has been patched fix the offset calculation. Xwayland is not affected as it does not support multiple protocol screens. 3) CVE-2023-5574: Use-after-free bug in DamageDestroy Introduced in: xorg-server-1.13.0 (2012) Found by: Sri working with Trend Micro Zero Day Initiative Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 This issue only affects Xvfb and requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). Screen cleanup is handled via stackable "modules", but the fb module hardcoded the cleanup path for the screen pixmap instead of calling into the next layer of the stack. This caused a minor memory leak that was fixed with a patch to Xvfb introduced in server 1.13. However, that patch did not remove all references to the freed pixmap, causing a use-after-free during screen cleanup in a lower module. This issue has not yet been fixed, please see the above merge request to track future fixes to this issue. """
Per Peter at https://fosstodon.org/@whot/111293224860265744 "Three CVEs but statistically only the first one (5367) will matter to you. And even that one really only if you're running X as root. The second one affects Zaphod setups only and the third one only Xvfb with a Zaphod setup so they're well into niche territory, past the Unlikely canyon, and currently climbing the Improbably mountain."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b4db39b0d72f93d5c46898cb262d8c5349542cc commit 9b4db39b0d72f93d5c46898cb262d8c5349542cc Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-10-25 15:29:54 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-10-25 15:41:30 +0000 x11-base/xorg-server: Version bump to 21.1.9 Bug: https://bugs.gentoo.org/916254 Closes: https://bugs.gentoo.org/884221 Closes: https://bugs.gentoo.org/909092 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xorg-server/Manifest | 1 + ...1.9-xephyr-Don-t-check-for-SeatId-anymore.patch | 66 +++++++ x11-base/xorg-server/xorg-server-21.1.9.ebuild | 194 +++++++++++++++++++++ 3 files changed, 261 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ac627f3c6badbf889971107157737bced0907ac commit 5ac627f3c6badbf889971107157737bced0907ac Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2023-10-25 15:27:21 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2023-10-25 15:41:30 +0000 x11-base/xwayland: Version bump to 23.2.2 Bug: https://bugs.gentoo.org/916254 Signed-off-by: Matt Turner <mattst88@gentoo.org> x11-base/xwayland/Manifest | 1 + x11-base/xwayland/xwayland-23.2.2.ebuild | 110 +++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+)
I've added a separate bug for CVE-2023-5574 since that isn't fixed yet, so we can proceed with the two fixed issues in this bug.
commit 637e44f058d0f6d13a6339fe09ecaa5fddef4ba2 Author: Matt Turner <mattst88@gentoo.org> Date: Sat Nov 25 12:14:05 2023 -0500 x11-base/xorg-server: Drop old versions commit 11717276feab2c0d5fe2f1ef027a574c5b325e07 Author: Matt Turner <mattst88@gentoo.org> Date: Sat Nov 25 12:14:09 2023 -0500 x11-base/xwayland: Drop old versions
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7b7fdd5a86cd28fc118fb133c98e81e2b15e0b92 commit 7b7fdd5a86cd28fc118fb133c98e81e2b15e0b92 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-31 11:33:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-31 11:35:22 +0000 [ GLSA 202401-30 ] X.Org X Server, XWayland: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/916254 Bug: https://bugs.gentoo.org/919803 Bug: https://bugs.gentoo.org/922395 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-30.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+)