Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916254 (CVE-2023-5367, CVE-2023-5380) - <x11-base/xorg-server-21.1.9 <x11-base/xwayland-23.2.2: Multiple vulnerabilities
Summary: <x11-base/xorg-server-21.1.9 <x11-base/xwayland-23.2.2: Multiple vulnerabilities
Alias: CVE-2023-5367, CVE-2023-5380
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+]
Depends on: 916437 916442
  Show dependency tree
Reported: 2023-10-25 02:18 UTC by Sam James
Modified: 2024-01-31 11:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-25 02:18:27 UTC

Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2

Multiple issues have been found in the X.Org X server implementation published
by X.Org for which we are releasing security fixes for in xorg-server-21.1.9
and xwayland-23.2.2.

The first issue (CVE-2023-5367) can be triggered by prepending to an input
device property or randr property.

The second issue (CVE-2023-5380) can be triggered by warping a pointer across
screens in legacy multi-head setups and destroying specific client windows.
Note that Xwayland is not affected by this issue.

The third issue (CVE-2023-5574) can be triggered in Xvfb during cleanup of the
ScreenRec, either at server shutdown or when the last client disconnects.
Note that this issue has not been fixed in a release yet due to some
issues with the proposed fixes.


1) CVE-2023-5367 X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty

Introduced in: xorg-server-1.7.0 (2009) and xorg-server-1.4.0 (2007), respectively
Fixed in: xorg-server-21.1.9 and xwayland-23.2.2
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

When prepending values to an existing property an invalid offset calculation
causes the existing values to be appended at the wrong offset. The resulting
memcpy() would write into memory outside the heap-allocated array.

For example, prepending 3 values to an existing 5 value property results in
an allocated array of size 8, but the existing 5 values would be written at
indices 5 through to 10. Indices 3 and 4 were left uninitialized, but due to a
separate bug the resulting property only had a client-visible length of 3
values and the uninitialized memory data was never visibile to the client.

xorg-server-21.1.9 and xwayland-23.2.2 have been patched to fix the offset
calculation and the length calculation of the property.

2) CVE-2023-5380: Use-after-free bug in DestroyWindow

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.9
Found by: Sri working with Trend Micro Zero Day Initiative

This vulnerability requires a legacy multi-screen setup with multiple protocol
screens ("Zaphod"). If the pointer is warped from one screen to the root window
of the other screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves that reference in place,
other windows may then trigger a use-after-free bug when they are destroyed.

This bug can be triggered only under very specific conditions, in particular it
requires an XWarpPointer call and that the pointer never enters a client window
on the other screen.

xorg-server-21.1.9 has been patched fix the offset calculation. Xwayland is not
affected as it does not support multiple protocol screens.

3) CVE-2023-5574: Use-after-free bug in DamageDestroy

Introduced in: xorg-server-1.13.0 (2012)
Found by: Sri working with Trend Micro Zero Day Initiative
Merge request tracking the fixes:

This issue only affects Xvfb and requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod").

Screen cleanup is handled via stackable "modules", but the fb module hardcoded
the cleanup path for the screen pixmap instead of calling into the next layer
of the stack. This caused a minor memory leak that was fixed with a patch to
Xvfb introduced in server 1.13. However, that patch did not remove all
references to the freed pixmap, causing a use-after-free during screen cleanup
in a lower module.

This issue has not yet been fixed, please see the above merge request to
track future fixes to this issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-25 02:19:20 UTC
Per Peter at
"Three CVEs but statistically only the first one (5367) will matter to you. And even that one really only if you're running X as root.

The second one affects Zaphod setups only and the third one only Xvfb with a Zaphod setup so they're well into niche territory, past the Unlikely canyon, and currently climbing the Improbably mountain."
Comment 2 Larry the Git Cow gentoo-dev 2023-10-25 15:41:36 UTC
The bug has been referenced in the following commit(s):

commit 9b4db39b0d72f93d5c46898cb262d8c5349542cc
Author:     Matt Turner <>
AuthorDate: 2023-10-25 15:29:54 +0000
Commit:     Matt Turner <>
CommitDate: 2023-10-25 15:41:30 +0000

    x11-base/xorg-server: Version bump to 21.1.9
    Signed-off-by: Matt Turner <>

 x11-base/xorg-server/Manifest                      |   1 +
 ...1.9-xephyr-Don-t-check-for-SeatId-anymore.patch |  66 +++++++
 x11-base/xorg-server/xorg-server-21.1.9.ebuild     | 194 +++++++++++++++++++++
 3 files changed, 261 insertions(+)

commit 5ac627f3c6badbf889971107157737bced0907ac
Author:     Matt Turner <>
AuthorDate: 2023-10-25 15:27:21 +0000
Commit:     Matt Turner <>
CommitDate: 2023-10-25 15:41:30 +0000

    x11-base/xwayland: Version bump to 23.2.2
    Signed-off-by: Matt Turner <>

 x11-base/xwayland/Manifest               |   1 +
 x11-base/xwayland/xwayland-23.2.2.ebuild | 110 +++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)
Comment 3 Hans de Graaff gentoo-dev Security 2023-10-28 09:31:04 UTC
I've added a separate bug for CVE-2023-5574 since that isn't fixed yet, so we can proceed with the two fixed issues in this bug.
Comment 4 Matt Turner gentoo-dev 2024-01-17 19:24:48 UTC
commit 637e44f058d0f6d13a6339fe09ecaa5fddef4ba2
Author: Matt Turner <>
Date:   Sat Nov 25 12:14:05 2023 -0500

    x11-base/xorg-server: Drop old versions

commit 11717276feab2c0d5fe2f1ef027a574c5b325e07
Author: Matt Turner <>
Date:   Sat Nov 25 12:14:09 2023 -0500

    x11-base/xwayland: Drop old versions
Comment 5 Larry the Git Cow gentoo-dev 2024-01-31 11:35:36 UTC
The bug has been referenced in the following commit(s):

commit 7b7fdd5a86cd28fc118fb133c98e81e2b15e0b92
Author:     GLSAMaker <>
AuthorDate: 2024-01-31 11:33:19 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-01-31 11:35:22 +0000

    [ GLSA 202401-30 ] X.Org X Server, XWayland: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202401-30.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)