The X.Org project reports:
CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org
server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the
device. When a logical device switch happens (e.g. moving
from a touchpad to a mouse), the server re-calculates the
information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation
only allocated enough memory for a single XKB action
rather instead of enough for the newly active physical
device's number of button. As a result, querying or
changing the XKB button actions results in out-of-bounds
memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
CVE-2023-6478/ZDI-CAN-22561: X.Org server:
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | xorg-server | < 21.1.10,1 | UNKNOWN |
FreeBSD | any | noarch | xephyr | < 21.1.10,1 | UNKNOWN |
FreeBSD | any | noarch | xorg-vfbserver | < 21.1.10,1 | UNKNOWN |
FreeBSD | any | noarch | xorg-nestserver | < 21.1.10,2 | UNKNOWN |
FreeBSD | any | noarch | xwayland | < 23.2.3,1 | UNKNOWN |
FreeBSD | any | noarch | xwayland-devel | < 21.0.99.1.582 | UNKNOWN |