Opened 14 months ago
Closed 14 months ago
#19134 closed enhancement (fixed)
xwayland-23.2.4
| Reported by: | Xi Ruoyao | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New patch version.
Change History (5)
comment:1 by , 14 months ago
| Priority: | normal → elevated |
|---|
comment:2 by , 14 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 14 months ago
We're only vulnerable to 4 of these issues, the other two require SELinux.
1) CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer Introduced in: xorg-server-1.13.0 (2012) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue. 2) CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access Introduced in: xorg-server-1.1.1 (2006) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fixes: - https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5 - https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5 - https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue. 3) CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent Introduced in: xorg-server-1.10.0 (2011) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue. 4) CVE-2024-21886: Heap buffer overflow in DisableDevice Introduced in: xorg-server-1.13.0 (2012) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fixes: - https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b - https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
comment:4 by , 14 months ago
Release notes:
This release contains fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg/2024-January/061525.html
* CVE-2023-6816
* CVE-2024-0229
* CVE-2024-21885
* CVE-2024-21886
* CVE-2024-0408
* CVE-2024-0409
Additionally, it also contains several other fixes for glamor, libEI support,
and FreeBSD.
Jan Beich (2):
os: Use LOCAL_PEERCRED to determine local client PID on FreeBSD
os: Use KERN_PROC_ARGS to determine client command on DragonFly and FreeBSD
José Expósito (2):
Xi: do not keep linked list pointer during recursion
Bump version to 23.2.4
Michel Dänzer (3):
glamor: Don't override source alpha to 1.0 if it's used for blending
glamor: Make glamor_set_alu take a DrawablePtr
glamor: Fall back for mixed depth 24/32 in glamor_set_alu
Olivier Fourdan (3):
xwayland: Pass the correct oeffis device types
glx: Call XACE hooks on the GLX buffer
ephyr,xwayland: Use the proper private key for cursor
Peter Hutterer (10):
Xi: require a pointer and keyboard device for XIAttachToMaster
dix: don't allow for devices with 0 axes
xwayland: override the XTest sendEventsProc for all devices
dix: initialize the XTest sendEventsProc for all devices
dix: allocate enough space for logical button maps
dix: Allocate sufficient xEvents for our DeviceStateNotify
dix: fix DeviceStateNotify event calculation
Xi: when creating a new ButtonClass, set the number of buttons
Xi: flush hierarchy events after adding/removing master devices
dix: when disabling a master, float disabled slaved devices too
comment:5 by , 14 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 06c83fefa0517ec1048feae4dd8b8832f7fda3c4
SA-12.0-072 issued
Note:
See TracTickets
for help on using tickets.
It contains 6 CVE fixes: https://lists.x.org/archives/xorg/2024-January/061525.html.