Bug 1216133 (CVE-2023-5380)

Summary: VUL-0: CVE-2023-5380: xorg-x11-server: Use-after-free bug in DestroyWindow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381549/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5380:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 0001-mi-reset-the-PointerWindows-reference-on-screen-swit.patch

Comment 3 Marcus Meissner 2023-10-12 06:58:13 UTC 
Created attachment 870114 [details]
0001-mi-reset-the-PointerWindows-reference-on-screen-swit.patch

0001-mi-reset-the-PointerWindows-reference-on-screen-swit.patch
Comment 10 Marcus Meissner 2023-10-25 07:18:07 UTC 
is public

https://lists.x.org/archives/xorg-announce/2023-October/003430.html

2) CVE-2023-5380: Use-after-free bug in DestroyWindow

Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.9
Found by: Sri working with Trend Micro Zero Day Initiative
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7

This vulnerability requires a legacy multi-screen setup with multiple protocol
screens ("Zaphod"). If the pointer is warped from one screen to the root window
of the other screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves that reference in place,
other windows may then trigger a use-after-free bug when they are destroyed.

This bug can be triggered only under very specific conditions, in particular it
requires an XWarpPointer call and that the pointer never enters a client window
on the other screen.

xorg-server-21.1.9 has been patched fix the offset calculation. Xwayland is not
affected as it does not support multiple protocol screens.
Comment 12 Maintenance Automation 2023-10-30 20:30:09 UTC 
SUSE-SU-2023:4272-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216133, 1216135, 1216261
CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574
Sources used:
openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.7.1
Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1
Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-10-30 20:30:27 UTC 
SUSE-SU-2023:4269-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216133, 1216135, 1216261
CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1
SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-10-31 12:30:37 UTC 
SUSE-SU-2023:4292-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216133, 1216135, 1216261
CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574
Sources used:
openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.29.1
Basesystem Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1
Development Tools Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-11-02 12:30:15 UTC 
SUSE-SU-2023:4338-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216133, 1216135, 1216261
CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Manager Proxy 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Manager Retail Branch Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Manager Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 OBSbugzilla Bot 2024-02-11 11:05:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1216133) was mentioned in
https://build.opensuse.org/request/show/1145978 Factory / xorg-x11-server
Comment 20 OBSbugzilla Bot 2024-02-12 10:45:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1216133) was mentioned in
https://build.opensuse.org/request/show/1146120 Factory / xorg-x11-server