893438 – (CVE-2023-0494, ZDI-CAN-19596) <x11-base/xorg-server-21.1.7 <x11-base/xwayland-22.1.8: Use-after-free in DeepCopyPointerClasses

Bug 893438 (CVE-2023-0494, ZDI-CAN-19596) - <x11-base/xorg-server-21.1.7 <x11-base/xwayland-22.1.8: Use-after-free in DeepCopyPointerClasses

Summary: <x11-base/xorg-server-21.1.7 <x11-base/xwayland-22.1.8: Use-after-free in Dee...

Status:	RESOLVED FIXED

Alias:	CVE-2023-0494, ZDI-CAN-19596

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://lists.x.org/archives/xorg-ann...
Whiteboard:	A2 [glsa+]
Keywords:

Depends on:	893876
Blocks:
	Show dependency tree

Reported:	2023-02-07 04:10 UTC by Sam James
Modified:	2023-05-30 02:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-02-07 04:10:12 UTC

Security issue in the X server
==============================

This issue can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses
use-after-free

A dangling pointer in DeepCopyPointerClasses can be exploited by
ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into
freed memory.

Patches
-------
A patch for this issue has been committed to the xorg server git
repository. xorg-server 21.1.7 will be released shortly and will include
this patch.

- commit 0ba6d8c37071131a49790243cdac55392ecf71ec

  Xi: fix potential use-after-free in DeepCopyPointerClasses

  CVE-2023-0494, ZDI-CAN 19596

Comment 1 Larry the Git Cow gentoo-dev

2023-02-07 04:41:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9de3e46964986c90eaf8971546c002c60cc375e3

commit 9de3e46964986c90eaf8971546c002c60cc375e3
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-07 04:38:41 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-07 04:41:04 +0000

    x11-base/xorg-server: Version bump to 21.1.7
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                  |   1 +
 x11-base/xorg-server/xorg-server-21.1.7.ebuild | 193 +++++++++++++++++++++++++
 2 files changed, 194 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-02-07 17:27:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef2060d6f4c1f97775f97353e9481a913a7547f8

commit ef2060d6f4c1f97775f97353e9481a913a7547f8
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-07 17:25:07 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-07 17:27:35 +0000

    x11-base/xwayland: Version bump to 22.1.8
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-22.1.8.ebuild | 100 +++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2023-02-26 23:45:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edb9d8bbd529347bd374f60b841c9899a12d6dae

commit edb9d8bbd529347bd374f60b841c9899a12d6dae
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-26 23:44:26 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-26 23:44:29 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                      |   1 -
 .../files/xorg-server-21.1.4-BadIDChoice.patch     |  59 -------
 x11-base/xorg-server/xorg-server-21.1.6.ebuild     | 195 ---------------------
 3 files changed, 255 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4945ad61abcfe0fde76deaafa1bbf6a787aae780

commit 4945ad61abcfe0fde76deaafa1bbf6a787aae780
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-02-26 23:43:32 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-02-26 23:44:00 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/893438
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   1 -
 x11-base/xwayland/xwayland-22.1.7.ebuild | 100 -------------------------------
 2 files changed, 101 deletions(-)

Comment 4 John Helmert III archtester

2023-05-29 23:28:10 UTC

GLSA request filed

Comment 5 Larry the Git Cow gentoo-dev

2023-05-30 02:56:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139

commit f91a69c129c65b48c349fa74cf96eb46e176c139
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:36 +0000

    [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829208
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Bug: https://bugs.gentoo.org/893438
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

Comment 6 John Helmert III archtester

2023-05-30 02:59:54 UTC

GLSA released, all done!