Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 893438 (CVE-2023-0494, ZDI-CAN-19596)

Summary: <x11-base/xorg-server-21.1.7 <x11-base/xwayland-22.1.8: Use-after-free in DeepCopyPointerClasses
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bertrand, jasmin+gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.x.org/archives/xorg-announce/2023-February/003320.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 893876    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-07 04:10:12 UTC
Security issue in the X server
==============================

This issue can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses
use-after-free

A dangling pointer in DeepCopyPointerClasses can be exploited by
ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into
freed memory.

Patches
-------
A patch for this issue has been committed to the xorg server git
repository. xorg-server 21.1.7 will be released shortly and will include
this patch.

- commit 0ba6d8c37071131a49790243cdac55392ecf71ec

  Xi: fix potential use-after-free in DeepCopyPointerClasses

  CVE-2023-0494, ZDI-CAN 19596
Comment 1 Larry the Git Cow gentoo-dev 2023-02-07 04:41:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9de3e46964986c90eaf8971546c002c60cc375e3

commit 9de3e46964986c90eaf8971546c002c60cc375e3
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-07 04:38:41 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-07 04:41:04 +0000

    x11-base/xorg-server: Version bump to 21.1.7
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                  |   1 +
 x11-base/xorg-server/xorg-server-21.1.7.ebuild | 193 +++++++++++++++++++++++++
 2 files changed, 194 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-02-07 17:27:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef2060d6f4c1f97775f97353e9481a913a7547f8

commit ef2060d6f4c1f97775f97353e9481a913a7547f8
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-07 17:25:07 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-07 17:27:35 +0000

    x11-base/xwayland: Version bump to 22.1.8
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-22.1.8.ebuild | 100 +++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-02-26 23:45:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edb9d8bbd529347bd374f60b841c9899a12d6dae

commit edb9d8bbd529347bd374f60b841c9899a12d6dae
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-26 23:44:26 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-26 23:44:29 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                      |   1 -
 .../files/xorg-server-21.1.4-BadIDChoice.patch     |  59 -------
 x11-base/xorg-server/xorg-server-21.1.6.ebuild     | 195 ---------------------
 3 files changed, 255 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4945ad61abcfe0fde76deaafa1bbf6a787aae780

commit 4945ad61abcfe0fde76deaafa1bbf6a787aae780
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-26 23:43:32 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-26 23:44:00 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 -
 x11-base/xwayland/xwayland-22.1.7.ebuild | 100 -------------------------------
 2 files changed, 101 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-29 23:28:10 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-05-30 02:56:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139

commit f91a69c129c65b48c349fa74cf96eb46e176c139
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:36 +0000

    [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829208
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Bug: https://bugs.gentoo.org/893438
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 02:59:54 UTC
GLSA released, all done!