Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Dec 2023 12:22:20 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: FW: X.Org Security Advisory: Issues in X.Org X server prior to
 21.1.10 and Xwayland prior to 23.2.3

----- Forwarded message from Peter Hutterer <peter.hutterer@...> -----

From: Peter Hutterer <peter.hutterer@...>
Subject: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and
	Xwayland prior to 23.2.3
Date: Wed, 13 Dec 2023 12:02:10 +1000
To: xorg-announce@...ts.x.org, xorg@...ts.x.org

X.Org Security Advisory: December 13, 2023

Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3
========================================================================

Multiple issues have been found in the X server and Xwayland implementations 
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.10 and xwayland-23.2.3.

1) CVE-2023-6377 can be triggered by forcing a logical device change on a device
with buttons which will result in an out-of-bounds memory write.

2) CVE-2023-6478 can be triggered by sending a specially crafted
request RRChangeProviderProperty or RRChangeOutputProperty. This will trigger
an integer overflow and lead to disclosure of information.

------------------------------------------------------------------------

1) CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions

Introduced in: xorg-server-1.6.0 (2009)
Fixed in: xorg-server-21.1.10 and xwayland-23.2.3
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

A device has XKB button actions for each button on the device. When a logical
device switch happens (e.g. moving from a touchpad to a mouse), the server 
re-calculates the information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation only allocated enough
memory for a single XKB action rather instead of enough for the newly active
physical device's number of button. As a result, querying or changing the XKB
button actions results in out-of-bounds memory reads and writes.

This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).

xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.


2) CVE-2023-6478: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty

Introduced in: xorg-server-1.4.0 (2007) and xorg-server-1.13.0 (2012), respectively
Fixed in: xorg-server-21.1.10 and xwayland-23.2.3
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.

See also CVE-2022-46344 where this issue was fixed for other requests.

xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.



----- End forwarded message -----

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.