VuXML ID | Description |
9e2fdfc7-e237-4393-9fa5-2d50908c66b3 | xorg-server -- Multiple vulnerabilities
The X.Org project reports:
- ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write
in XIChangeDeviceProperty/RRChangeOutputProperty
When prepending values to an existing property an
invalid offset calculation causes the existing values to
be appended at the wrong offset. The resulting memcpy()
would write into memory outside the heap-allocated
array.
- ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in
DestroyWindow
This vulnerability requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod"). If the pointer
is warped from one screen to the root window of the other
screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves
that reference in place, other windows may then trigger a
use-after-free bug when they are destroyed.
Discovery 2023-10-25 Entry 2023-10-25 xorg-server
xephyr
xorg-vfbserver
< 21.1.9,1
xorg-nestserver
< 21.1.9,2
xwayland
< 23.2.2,1
xwayland-devel
< 21.0.99.1.542
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
CVE-2023-5367
CVE-2023-5380
|
7467c611-b490-11ee-b903-001fc69cd6dc | xorg server -- Multiple vulnerabilities
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent
and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit
for each logical button currently down. Buttons can be arbitrarily
mapped to any value up to 255 but the X.Org Server was only
allocating space for the device's number of buttons,
leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead
to out-of-bounds memory access
If a device has both a button class and a key class and
numButtons is zero, we can get an out-of-bounds write due
to event under-allocation in the DeliverStateNotifyEvent
function.
- CVE-2024-21885: Heap buffer overflow in
XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to
store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with
the same ID added both in the same operation,
the single device ID will lead to two info structures being
written to info.
Since this case can occur for every device ID at once,
a total of two times MAXDEVICES info structures might be written
to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device
is disabled and it moves the device from the inputInfo.devices
linked list to the inputInfo.off_devices linked list.
However, its link/unlink operation has an issue during the recursive
call to DisableDevice() due to the prev pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
Discovery 2024-01-16 Entry 2024-01-16 xorg-server
xephyr
xorg-vfbserver
< 21.1.11,1
xorg-nextserver
< 21.1.11,2
xwayland
< 23.2.4
xwayland-devel
< 21.0.99.1.653
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
https://lists.x.org/archives/xorg/2024-January/061525.html
|
57561cfc-f24b-11ee-9730-001fc69cd6dc | xorg server -- Multiple vulnerabilities
The X.Org project reports:
-
CVE-2024-31080: Heap buffer overread/data leakage in
ProcXIGetSelectedEvents
The ProcXIGetSelectedEvents() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31081: Heap buffer overread/data leakage in
ProcXIPassiveGrabDevice
The ProcXIPassiveGrabDevice() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
The ProcRenderAddGlyphs() function calls the AllocateGlyph()
function to store new glyphs sent by the client to the X server.
AllocateGlyph() would return a new glyph with refcount=0 and
a re-used glyph would end up not changing the refcount at all.
The resulting glyph_new array would thus have multiple entries
pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a
use-after-free when the same glyph pointer is then later used.
Discovery 2024-04-03 Entry 2024-04-04 xorg-server
xephyr
xorg-vfbserver
< 21.1.12,1
xorg-nextserver
< 21.1.12,2
xwayland
< 23.2.5
xwayland-devel
ge 21.0.99.1.672 lt 21.0.99.1.841_1
< 21.0.99.1.671_1
CVE-2024-31080
CVE-2024-31081
CVE-2024-31083
https://lists.x.org/archives/xorg-announce/2024-April/003497.html
|
972568d6-3485-40ab-80ff-994a8aaf9683 | xorg-server -- Multiple vulnerabilities
The X.Org project reports:
- CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org
server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the
device. When a logical device switch happens (e.g. moving
from a touchpad to a mouse), the server re-calculates the
information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation
only allocated enough memory for a single XKB action
rather instead of enough for the newly active physical
device's number of button. As a result, querying or
changing the XKB button actions results in out-of-bounds
memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
- CVE-2023-6478/ZDI-CAN-22561: X.Org server:
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
Discovery 2023-12-13 Entry 2023-12-13 xorg-server
xephyr
xorg-vfbserver
< 21.1.10,1
xorg-nestserver
< 21.1.10,2
xwayland
< 23.2.3,1
xwayland-devel
< 21.0.99.1.582
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
CVE-2023-6377
CVE-2023-6478
|