|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-5574: xorg-x11-server: Server Damage Object Use-After-Free Local Privilege Escalation Vulnerability | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | gianluca.gabrielli, sndirsch |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/381931/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-5574:7.4:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
0001-mi-fix-CloseScreen-initialization-order.patch
0002-fb-properly-wrap-unwrap-CloseScreen.patch poc.c 0005-dix-always-initialize-pScreen-CloseScreen.patch |
||
Created attachment 870207 [details]
0002-fb-properly-wrap-unwrap-CloseScreen.patch
0002-fb-properly-wrap-unwrap-CloseScreen.patch
[-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 2.6K --] This issue is now CVE-2023-5574.
Turns out this is somehow related to multiple screens again, the bug is
triggered when the pointer moves from screen 0 into the window on screen 1. I
found a way to reproduce this reliably:
$ meson configure build -Db_sanitize=address
$ ./build/hw/vfb/Xvfb :3 -screen 1 1024x768x24 -ac
reproducer
$ export DISPLAY=:3.1
$ xcalc
$ xdotool mousemove --screen 1 10 10
$ killall -2 xcalc
Works with xterm too but not xev, xinput, so *something* is needed. The
reduced 200 line PoC (attached) seems to require a `panedWidgetClass` for the
bug to trigger.
Requires moving from screen 0 to 1, what happend on screen 0 doesn't seem to
matter and neither does moving back.
If anyone has any ideas or pointers, I'll happily take them. The patch makes
the issue go away, I'm just wondering if there is some other underlying issue
that we're now papering over and/or are exposed to.
Cheers,
Peter
Created attachment 870426 [details]
0005-dix-always-initialize-pScreen-CloseScreen.patch
Please note that the fix for CVE-2023-5574
(0004-fb-properly-wrap-unwrap-CloseScreen.patch) was buggy and can
trigger a segfault in Xwayland on exit. A new patch is added to this
sequence to mitigate this issue
(0005-dix-always-initialize-pScreen-CloseScreen.patch) and will be part
of tomorrow's disclosure and announcement.
The other patches are unchanged to the original announcement.
Thanks to Marc Deslauriers for finding this issue.
Cheers,
Peter
Ok. I just submitted fixed xorg-x11-server packages for sle12-sp5, sle15-sp2, sle15-sp4 and sle15-sp5. X11:XOrg, Tumbleweed and ALP updates will come once the issue has been officially announced. is public https://lists.x.org/archives/xorg-announce/2023-October/003430.html 3) CVE-2023-5574: Use-after-free bug in DamageDestroy Introduced in: xorg-server-1.13.0 (2012) Found by: Sri working with Trend Micro Zero Day Initiative Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 This issue only affects Xvfb and requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). Screen cleanup is handled via stackable "modules", but the fb module hardcoded the cleanup path for the screen pixmap instead of calling into the next layer of the stack. This caused a minor memory leak that was fixed with a patch to Xvfb introduced in server 1.13. However, that patch did not remove all references to the freed pixmap, causing a use-after-free during screen cleanup in a lower module. This issue has not yet been fixed, please see the above merge request to track future fixes to this issue. Ok. It's worse. I didn't yet patch xwayland at all to fix this ticket. :-( Working on it now ... I just submitted fixed xwayland packages for sle15-sp4 and sle15-sp5. (In reply to Stefan Dirsch from comment #11) > Ok. I just submitted fixed xorg-x11-server packages for sle12-sp5, > sle15-sp2, sle15-sp4 and sle15-sp5. X11:XOrg, Tumbleweed and ALP updates > will come once the issue has been officially announced. DONE. Same for xwayland. Reassigning. SUSE-SU-2023:4272-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.7.1 Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1 Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4269-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4306-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5574 Sources used: openSUSE Leap 15.5 (src): xwayland-22.1.5-150500.7.5.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xwayland-22.1.5-150500.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4293-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5574 Sources used: openSUSE Leap 15.4 (src): xwayland-21.1.4-150400.3.20.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xwayland-21.1.4-150400.3.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4292-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.29.1 Basesystem Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1 Development Tools Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4338-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Proxy 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Retail Branch Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1128531 Factory / xwayland This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1145978 Factory / xorg-x11-server This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1146120 Factory / xorg-x11-server done |
Created attachment 870206 [details] 0001-mi-fix-CloseScreen-initialization-order.patch 0001-mi-fix-CloseScreen-initialization-order.patch