Bug 1222309 (CVE-2024-31080)

Summary: VUL-0: CVE-2024-31080: xorg-x11-server,xwayland: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: camila.matos, gfx-enterprise-bugs, meissner, sndirsch, tzimmermann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400278/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-31080:7.6:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Marcus Meissner 2024-04-04 12:10:06 UTC 
is xwayland affected?
Comment 2 Stefan Dirsch 2024-04-04 12:12:42 UTC 
(In reply to Marcus Meissner from comment #1)
> is xwayland affected?

Yes, it is!
Comment 3 Stefan Dirsch 2024-04-04 13:47:56 UTC 
xwayland done:

- sle-15-sp4
- sle-15-sp5
- sle-15-sp6
- ALP
Comment 5 Stefan Dirsch 2024-04-05 02:35:03 UTC 
xorg-x11-server done:

- sle-12-sp5
- sle-15-sp2
- sle-15-sp4
- sle-15-sp5
- sle-15-sp6
- ALP
Comment 6 Stefan Dirsch 2024-04-05 02:37:15 UTC 
Reassigning back to security team.
Comment 9 Maintenance Automation 2024-04-10 16:30:03 UTC 
SUSE-SU-2024:1199-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33211](https://smelt.suse.de/incident/33211/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 xorg-x11-server-1.19.6-10.71.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 xorg-x11-server-1.19.6-10.71.1
SUSE Linux Enterprise Server 12 SP5 (src):
 xorg-x11-server-1.19.6-10.71.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 xorg-x11-server-1.19.6-10.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-12 16:30:29 UTC 
SUSE-SU-2024:1265-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33215](https://smelt.suse.de/incident/33215/)
Sources used:
openSUSE Leap 15.4 (src):
 xwayland-21.1.4-150400.3.36.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xwayland-21.1.4-150400.3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-12 16:30:32 UTC 
SUSE-SU-2024:1264-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33216](https://smelt.suse.de/incident/33216/)
Sources used:
openSUSE Leap 15.5 (src):
 xwayland-22.1.5-150500.7.22.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 xwayland-22.1.5-150500.7.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-12 16:30:36 UTC 
SUSE-SU-2024:1262-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33214](https://smelt.suse.de/incident/33214/)
Sources used:
openSUSE Leap 15.5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1
Basesystem Module 15-SP5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1
Development Tools Module 15-SP5 (src):
 xorg-x11-server-21.1.4-150500.7.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-04-12 16:30:38 UTC 
SUSE-SU-2024:1261-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33212](https://smelt.suse.de/incident/33212/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1
SUSE Enterprise Storage 7.1 (src):
 xorg-x11-server-1.20.3-150200.22.5.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-04-12 16:30:40 UTC 
SUSE-SU-2024:1260-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1222309, 1222310, 1222311, 1222312, 1222442
CVE References: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083
Maintenance Incident: [SUSE:Maintenance:33213](https://smelt.suse.de/incident/33213/)
Sources used:
openSUSE Leap 15.4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Proxy 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Retail Branch Server 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1
SUSE Manager Server 4.3 (src):
 xorg-x11-server-1.20.3-150400.38.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 OBSbugzilla Bot 2024-07-11 15:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1222309) was mentioned in
https://build.opensuse.org/request/show/1186897 Factory / xwayland
Comment 28 OBSbugzilla Bot 2024-07-12 13:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1222309) was mentioned in
https://build.opensuse.org/request/show/1187080 Factory / xwayland