Moderate: xorg-x11-server-Xwayland security update

2024-05-2200:00:00

Google

osv.dev

xwayland

security

update

out-of-bounds writes

heap buffer overflows

cve-2023-5367

cve-2023-6377

cve-2023-6478

cve-2023-6816

cve-2024-0229

cve-2024-0408

cve-2024-0409

cve-2024-21885

cve-2024-21886

x server

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

Low

0.273 Low

EPSS

Percentile

96.8%

JSON

Xwayland is an X server for running X clients under Wayland.

Security Fix(es):

xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty (CVE-2023-5367)
xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions (CVE-2023-6377)
xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478)
xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer (CVE-2023-6816)
xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access (CVE-2024-0229)
xorg-x11-server: SELinux unlabeled GLX PBuffer (CVE-2024-0408)
xorg-x11-server: SELinux context corruption (CVE-2024-0409)
xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent (CVE-2024-21885)
xorg-x11-server: heap buffer overflow in DisableDevice (CVE-2024-21886)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.