Date: Wed, 25 Oct 2023 12:38:56 +1000 From: Peter Hutterer <peter.hutterer@...-t.net> To: oss-security@...ts.openwall.com Subject: FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 ----- Forwarded message from Peter Hutterer <peter.hutterer@...> ----- Subject: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 From: Peter Hutterer <peter.hutterer@...> Date: Wed, 25 Oct 2023 11:53:55 +1000 To: xorg-announce@...ts.x.org Cc: xorg@...ts.x.org X.Org Security Advisory: October 25, 2023 Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 ===================================================================== Multiple issues have been found in the X.Org X server implementation published by X.Org for which we are releasing security fixes for in xorg-server-21.1.9 and xwayland-23.2.2. The first issue (CVE-2023-5367) can be triggered by prepending to an input device property or randr property. The second issue (CVE-2023-5380) can be triggered by warping a pointer across screens in legacy multi-head setups and destroying specific client windows. Note that Xwayland is not affected by this issue. The third issue (CVE-2023-5574) can be triggered in Xvfb during cleanup of the ScreenRec, either at server shutdown or when the last client disconnects. Note that this issue has not been fixed in a release yet due to some issues with the proposed fixes. ---------------------------------------------------------------------------- 1) CVE-2023-5367 X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty Introduced in: xorg-server-1.7.0 (2009) and xorg-server-1.4.0 (2007), respectively Fixed in: xorg-server-21.1.9 and xwayland-23.2.2 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy() would write into memory outside the heap-allocated array. For example, prepending 3 values to an existing 5 value property results in an allocated array of size 8, but the existing 5 values would be written at indices 5 through to 10. Indices 3 and 4 were left uninitialized, but due to a separate bug the resulting property only had a client-visible length of 3 values and the uninitialized memory data was never visibile to the client. xorg-server-21.1.9 and xwayland-23.2.2 have been patched to fix the offset calculation and the length calculation of the property. 2) CVE-2023-5380: Use-after-free bug in DestroyWindow Introduced in: xorg-server-1.7.0 (2009) Fixed in: xorg-server-21.1.9 Found by: Sri working with Trend Micro Zero Day Initiative Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7 This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed. This bug can be triggered only under very specific conditions, in particular it requires an XWarpPointer call and that the pointer never enters a client window on the other screen. xorg-server-21.1.9 has been patched fix the offset calculation. Xwayland is not affected as it does not support multiple protocol screens. 3) CVE-2023-5574: Use-after-free bug in DamageDestroy Introduced in: xorg-server-1.13.0 (2012) Found by: Sri working with Trend Micro Zero Day Initiative Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 This issue only affects Xvfb and requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). Screen cleanup is handled via stackable "modules", but the fb module hardcoded the cleanup path for the screen pixmap instead of calling into the next layer of the stack. This caused a minor memory leak that was fixed with a patch to Xvfb introduced in server 1.13. However, that patch did not remove all references to the freed pixmap, causing a use-after-free during screen cleanup in a lower module. This issue has not yet been fixed, please see the above merge request to track future fixes to this issue. ---------------------------------------------------------------------------- X.Org thanks all of those who reported and fixed these issues, and those who helped with the review and release of this advisory and these fixes. ----- End forwarded message ----- Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.