Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#17605 closed enhancement (fixed)

xorg-server-21.1.7

Reported by: Bruce Dubbs Owned by: Tim Tassonis
Priority: elevated Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Tim Tassonis, 14 months ago

Owner: changed from blfs-book to Tim Tassonis
Status: newassigned

This release contains the fix for CVE-2023-0494 in today's security advisory: https://lists.x.org/archives/xorg-announce/2023-February/003320.html It also fixes a second possible OOB access during EnqueueEvent and a crasher caused by ResourceClientBits not correctly honouring the MaxClients value in the configuration file.

Finally, a bunch of Xquartz updates including the ability to correctly detect ssh-tunneled clients as remote.

Jeremy Huddleston Sequoia (11):

xquartz: Ignore SIGPIPE at process launch xquartz: Use xorg_backtrace() instead of rolling our own for debugging rootless: Add additional debug logging to help triage XQuartz fb/rootless/damage crashes xquartz: Fix building with autoconf xquartz: Update the about box copyright to 2023 xquartz: Disable COMPOSITE at runtime Revert "meson: Don't build COMPOSITE for XQuartz" os: Update AllocNewConnection() debug logging to include whether or not the client is local os: Update GetLocalClientCreds to prefer getpeerucred() or SO_PEERCRED over getpeereid() os: Use LOCAL_PEERPID from sys/un.h if it is available to detemine the pid when falling back on getpeereids() darwin: Implement DetermineClientCmd for macOS

Mike Gorse (1):

dix: Use CopyPartialInternalEvent in EnqueueEvent

Olivier Fourdan (1):

dix: Fix overzealous caching of ResourceClientBits()

Peter Hutterer (2):

Xi: fix potential use-after-free in DeepCopyPointerClasses

comment:2 by Tim Tassonis, 14 months ago

Resolution: fixed
Status: assignedclosed

Fixed in commit 24ac3c2034

comment:3 by Douglas R. Reno, 14 months ago

X.Org Security Advisory: February 07, 2023

Security issue in the X server
==============================

This issue can lead to local privileges elevation on systems
where the X server is running privileged and remote code execution for
ssh X forwarding sessions.

* CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses
use-after-free

A dangling pointer in DeepCopyPointerClasses can be exploited by
ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into
freed memory.

Patches
-------
A patch for this issue has been committed to the xorg server git
repository. xorg-server 21.1.7 will be released shortly and will include
this patch.

- commit 0ba6d8c37071131a49790243cdac55392ecf71ec

  Xi: fix potential use-after-free in DeepCopyPointerClasses

  CVE-2023-0494, ZDI-CAN 19596

Note that this can allow for privileged and remote code execution on systems with X11 Forwarding enabled, and local privilege escalation locally.

Thank you Tim for SA-11.2-078! There's a couple of tweaks it needs (primarily linking to the CVE, and linking to the development books, but otherwise the general format is good!

comment:4 by Douglas R. Reno, 14 months ago

Priority: normalelevated

Mark the ticket as Elevated since it contains a security fix in it

Note: See TracTickets for help on using tickets.