=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN430

_____________________________________________________________________

DATE                : 25/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running X.Org X server versions prior to
                           21.1.9, Xwayland versions prior to 23.2.2.

=====================================================================
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
_____________________________________________________________________


X.Org Security Advisory: October 25, 2023

Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2
=====================================================================

Multiple issues have been found in the X.Org X server implementation 
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.9 and xwayland-23.2.2.

The first issue (CVE-2023-5367) can be triggered by prepending to an
input device property or randr property.

The second issue (CVE-2023-5380) can be triggered by warping a
pointer across screens in legacy multi-head setups and destroying
specific client windows.
Note that Xwayland is not affected by this issue.

The third issue (CVE-2023-5574) can be triggered in Xvfb during
cleanup of the ScreenRec, either at server shutdown or when the
last client disconnects.
Note that this issue has not been fixed in a release yet due to
some issues with the proposed fixes.

----------------------------------------------------------------------------

1) CVE-2023-5367 X.Org server: OOB write in 
XIChangeDeviceProperty/RRChangeOutputProperty

Introduced in: xorg-server-1.7.0 (2009) and xorg-server-1.4.0 (2007), 
respectively
Fixed in: xorg-server-21.1.9 and xwayland-23.2.2
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Fix: 
https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a

When prepending values to an existing property an invalid offset 
calculation causes the existing values to be appended at the wrong
offset. The resulting memcpy() would write into memory outside the
heap-allocated array.

For example, prepending 3 values to an existing 5 value property
results in an allocated array of size 8, but the existing 5 values
would be written at indices 5 through to 10. Indices 3 and 4 were
left uninitialized, but due to a separate bug the resulting property
only had a client-visible length of 3 values and the uninitialized
memory data was never visibile to the client.

xorg-server-21.1.9 and xwayland-23.2.2 have been patched to fix
the offset calculation and the length calculation of the property.

2) CVE-2023-5380: Use-after-free bug in DestroyWindow

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.9
Found by: Sri working with Trend Micro Zero Day Initiative
Fix: 
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7

This vulnerability requires a legacy multi-screen setup with multiple
protocol screens ("Zaphod"). If the pointer is warped from one
screen to the root window of the other screen, the enter/leave
code may retain a reference to the previous pointer window.
Destroying this window leaves that reference in place,
other windows may then trigger a use-after-free bug when they
are destroyed.

This bug can be triggered only under very specific conditions,
in particular it requires an XWarpPointer call and that the
pointer never enters a client window on the other screen.

xorg-server-21.1.9 has been patched fix the offset calculation.
Xwayland is not affected as it does not support multiple
protocol screens.

3) CVE-2023-5574: Use-after-free bug in DamageDestroy

Introduced in: xorg-server-1.13.0 (2012)
Found by: Sri working with Trend Micro Zero Day Initiative
Merge request tracking the fixes: 
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189

This issue only affects Xvfb and requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod").

Screen cleanup is handled via stackable "modules", but the fb module
hardcoded the cleanup path for the screen pixmap instead of calling
into the next layer of the stack. This caused a minor memory leak
that was fixed with a patch to Xvfb introduced in server 1.13.
However, that patch did not remove all references to the freed
pixmap, causing a use-after-free during screen cleanup in a lower
module.

This issue has not yet been fixed, please see the above merge request
to track future fixes to this issue.

----------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================