AmazonALAS-2024-1932

HistoryApr 25, 2024 - 4:04 p.m.

Important: xorg-x11-server

2024-04-2516:04:00

alas.aws.amazon.com

buffer overflow

memory access

xorg-x11-server

cve

update

mitre

red hat

security

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

Low

EPSS

0.004

Percentile

73.8%

JSON

Issue Overview:

Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer

NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 (CVE-2023-6816)

Reattaching to different master device may lead to out-of-bounds memory access

NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74 (CVE-2024-0229)

Heap buffer overflow in XISendDeviceHierarchyEvent

NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 (CVE-2024-21885)

Heap buffer overflow in DisableDevice

NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 (CVE-2024-21886)

Affected Packages:

xorg-x11-server

Issue Correction:
Run yum update xorg-x11-server to update your system.

New Packages:

i686:  
    xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-Xorg-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-Xnest-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-devel-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-common-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.i686  
    xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.i686  
  
noarch:  
    xorg-x11-server-source-1.17.4-18.56.amzn1.noarch  
  
src:  
    xorg-x11-server-1.17.4-18.56.amzn1.src  
  
x86_64:  
    xorg-x11-server-common-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-Xnest-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-devel-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-Xorg-1.17.4-18.56.amzn1.x86_64  
    xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.x86_64

Additional References

Red Hat: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886

Mitre: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686xorg-x11-server-xephyr< 1.17.4-18.56.amzn1xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-xorg< 1.17.4-18.56.amzn1xorg-x11-server-Xorg-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-xdmx< 1.17.4-18.56.amzn1xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-xnest< 1.17.4-18.56.amzn1xorg-x11-server-Xnest-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-devel< 1.17.4-18.56.amzn1xorg-x11-server-devel-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-common< 1.17.4-18.56.amzn1xorg-x11-server-common-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-debuginfo< 1.17.4-18.56.amzn1xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1i686xorg-x11-server-xvfb< 1.17.4-18.56.amzn1xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux1noarchxorg-x11-server-source< 1.17.4-18.56.amzn1xorg-x11-server-source-1.17.4-18.56.amzn1.noarch.rpm
Amazon Linux1x86_64xorg-x11-server-common< 1.17.4-18.56.amzn1xorg-x11-server-common-1.17.4-18.56.amzn1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	i686	xorg-x11-server-xephyr	< 1.17.4-18.56.amzn1	xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-xorg	< 1.17.4-18.56.amzn1	xorg-x11-server-Xorg-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-xdmx	< 1.17.4-18.56.amzn1	xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-xnest	< 1.17.4-18.56.amzn1	xorg-x11-server-Xnest-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-devel	< 1.17.4-18.56.amzn1	xorg-x11-server-devel-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-common	< 1.17.4-18.56.amzn1	xorg-x11-server-common-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-debuginfo	< 1.17.4-18.56.amzn1	xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	i686	xorg-x11-server-xvfb	< 1.17.4-18.56.amzn1	xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.i686.rpm
Amazon Linux	1	noarch	xorg-x11-server-source	< 1.17.4-18.56.amzn1	xorg-x11-server-source-1.17.4-18.56.amzn1.noarch.rpm
Amazon Linux	1	x86_64	xorg-x11-server-common	< 1.17.4-18.56.amzn1	xorg-x11-server-common-1.17.4-18.56.amzn1.x86_64.rpm