X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2

Peter Hutterer peter.hutterer at who-t.net
Wed Oct 25 01:53:55 UTC 2023

X.Org Security Advisory: October 25, 2023

Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2

Multiple issues have been found in the X.Org X server implementation published
by X.Org for which we are releasing security fixes for in xorg-server-21.1.9
and xwayland-23.2.2.

The first issue (CVE-2023-5367) can be triggered by prepending to an input
device property or randr property.

The second issue (CVE-2023-5380) can be triggered by warping a pointer across
screens in legacy multi-head setups and destroying specific client windows.
Note that Xwayland is not affected by this issue.

The third issue (CVE-2023-5574) can be triggered in Xvfb during cleanup of the
ScreenRec, either at server shutdown or when the last client disconnects.
Note that this issue has not been fixed in a release yet due to some
issues with the proposed fixes.


1) CVE-2023-5367 X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty

Introduced in: xorg-server-1.7.0 (2009) and xorg-server-1.4.0 (2007), respectively
Fixed in: xorg-server-21.1.9 and xwayland-23.2.2
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a

When prepending values to an existing property an invalid offset calculation
causes the existing values to be appended at the wrong offset. The resulting
memcpy() would write into memory outside the heap-allocated array.

For example, prepending 3 values to an existing 5 value property results in
an allocated array of size 8, but the existing 5 values would be written at
indices 5 through to 10. Indices 3 and 4 were left uninitialized, but due to a
separate bug the resulting property only had a client-visible length of 3
values and the uninitialized memory data was never visibile to the client.

xorg-server-21.1.9 and xwayland-23.2.2 have been patched to fix the offset
calculation and the length calculation of the property.

2) CVE-2023-5380: Use-after-free bug in DestroyWindow

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.9
Found by: Sri working with Trend Micro Zero Day Initiative
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7

This vulnerability requires a legacy multi-screen setup with multiple protocol
screens ("Zaphod"). If the pointer is warped from one screen to the root window
of the other screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves that reference in place,
other windows may then trigger a use-after-free bug when they are destroyed.

This bug can be triggered only under very specific conditions, in particular it
requires an XWarpPointer call and that the pointer never enters a client window
on the other screen.

xorg-server-21.1.9 has been patched fix the offset calculation. Xwayland is not
affected as it does not support multiple protocol screens.

3) CVE-2023-5574: Use-after-free bug in DamageDestroy

Introduced in: xorg-server-1.13.0 (2012)
Found by: Sri working with Trend Micro Zero Day Initiative
Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189

This issue only affects Xvfb and requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod").

Screen cleanup is handled via stackable "modules", but the fb module hardcoded
the cleanup path for the screen pixmap instead of calling into the next layer
of the stack. This caused a minor memory leak that was fixed with a patch to
Xvfb introduced in server 1.13. However, that patch did not remove all
references to the freed pixmap, causing a use-after-free during screen cleanup
in a lower module.

This issue has not yet been fixed, please see the above merge request to
track future fixes to this issue.


X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg/attachments/20231025/08389037/attachment.sig>

More information about the xorg mailing list