=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN127

_____________________________________________________________________

DATE                : 29/03/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running X.Org versions prior to 21.1.8.

=====================================================================
https://lists.x.org/archives/xorg/2023-March/061312.html
_____________________________________________________________________

X.Org Security Advisory: March 29, 2023

X.Org Server Overlay Window Use-After-Free
==========================================

This issue can lead to local privileges elevation on systems where
the X server is running privileged and remote code execution for
ssh X forwarding sessions.

ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window
Use-After-Free Local Privilege Escalation Vulnerability

If a client explicitly destroys the compositor overlay window
(aka COW), the Xserver would leave a dangling pointer to that
window in the CompScreen structure, which will trigger a
use-after-free later.


Patches
-------
Patch for this issue have been committed to the xorg server git
repository.

xorg-server 21.1.8 will be released shortly and will include
this patch.

- commit 26ef545b3 - composite: Fix use-after-free of the COW
     (https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3)

ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window
(aka COW), we would leave a dangling pointer to that window in
the CompScreen structure, which will trigger a use-after-free
later.

Make sure to clear the CompScreen pointer to the COW when the
latter gets destroyed explicitly by the client.


Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working
with Trend Micro Zero Day Initiative.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================