903547 – (CVE-2023-1393) <x11-base/xorg-server-21.1.8 <x11-base/xwayland-23.1.1: Privilege escalation via use-after-free

Bug 903547 (CVE-2023-1393) - <x11-base/xorg-server-21.1.8 <x11-base/xwayland-23.1.1: Privilege escalation via use-after-free

Summary: <x11-base/xorg-server-21.1.8 <x11-base/xwayland-23.1.1: Privilege escalation ...

Status:	RESOLVED FIXED

Alias:	CVE-2023-1393

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:	https://cgit.freedesktop.org/xorg/xse...
Whiteboard:	A1 [glsa+]
Keywords:

Depends on:	903636 905391
Blocks:
	Show dependency tree

Reported:	2023-03-29 14:52 UTC by Sam James
Modified:	2023-05-30 02:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-03-29 14:52:12 UTC

From https://lists.x.org/archives/xorg/2023-March/061312.html:
"""
X.Org Server Overlay Window Use-After-Free
==========================================

This issue can lead to local privileges elevation on systems where the X
server is running privileged and remote code execution for ssh X forwarding
sessions.

ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability

If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Patches
-------
Patch for this issue have been committed to the xorg server git repository.
xorg-server 21.1.8 will be released shortly and will include this patch.

- commit 26ef545b3 - composite: Fix use-after-free of the COW
   (https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3)

ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-03-30 13:02:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5cef16547942f54d5ea8a6732e9258357182fcd

commit d5cef16547942f54d5ea8a6732e9258357182fcd
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-03-30 13:01:45 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-03-30 13:02:21 +0000

    x11-base/xorg-server: Version bump to 21.1.8
    
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                  |   1 +
 x11-base/xorg-server/xorg-server-21.1.8.ebuild | 193 +++++++++++++++++++++++++
 2 files changed, 194 insertions(+)

Comment 2 Sam James archtester

2023-03-30 17:11:21 UTC

Thanks. Please stable ASAP.

Comment 3 Larry the Git Cow gentoo-dev

2023-04-02 00:57:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01495ab0f1de5e9fc0189e8bfcfb48dc14899eff

commit 01495ab0f1de5e9fc0189e8bfcfb48dc14899eff
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-04-02 00:23:08 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-04-02 00:25:39 +0000

    x11-base/xorg-server: Drop old versions
    
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xorg-server/Manifest                  |   1 -
 x11-base/xorg-server/xorg-server-21.1.7.ebuild | 193 -------------------------
 2 files changed, 194 deletions(-)

Comment 4 John Helmert III archtester

2023-04-30 22:46:15 UTC

Can we stable fixed xwayland?

Comment 5 Larry the Git Cow gentoo-dev

2023-05-10 15:33:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8840d4c8be04f2227756d610d4a529c33cdcf538

commit 8840d4c8be04f2227756d610d4a529c33cdcf538
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-05-10 15:32:04 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-05-10 15:32:55 +0000

    x11-base/xwayland: Drop old versions
    
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-base/xwayland/Manifest               |   2 -
 x11-base/xwayland/xwayland-22.1.8.ebuild | 100 ------------------------------
 x11-base/xwayland/xwayland-23.1.0.ebuild | 101 -------------------------------
 3 files changed, 203 deletions(-)

Comment 6 John Helmert III archtester

2023-05-29 23:28:15 UTC

GLSA request filed

Comment 7 Larry the Git Cow gentoo-dev

2023-05-30 02:56:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f91a69c129c65b48c349fa74cf96eb46e176c139

commit f91a69c129c65b48c349fa74cf96eb46e176c139
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-30 02:54:51 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 02:56:36 +0000

    [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829208
    Bug: https://bugs.gentoo.org/877459
    Bug: https://bugs.gentoo.org/885825
    Bug: https://bugs.gentoo.org/893438
    Bug: https://bugs.gentoo.org/903547
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-30.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

Comment 8 John Helmert III archtester

2023-05-30 02:59:58 UTC

GLSA released, all done!