Bugzilla – Bug 1216261
VUL-0: CVE-2023-5574: xorg-x11-server: Server Damage Object Use-After-Free Local Privilege Escalation Vulnerability
Last modified: 2024-05-17 12:18:32 UTC
Created attachment 870206 [details] 0001-mi-fix-CloseScreen-initialization-order.patch 0001-mi-fix-CloseScreen-initialization-order.patch
Created attachment 870207 [details] 0002-fb-properly-wrap-unwrap-CloseScreen.patch 0002-fb-properly-wrap-unwrap-CloseScreen.patch
[-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 2.6K --] This issue is now CVE-2023-5574. Turns out this is somehow related to multiple screens again, the bug is triggered when the pointer moves from screen 0 into the window on screen 1. I found a way to reproduce this reliably: $ meson configure build -Db_sanitize=address $ ./build/hw/vfb/Xvfb :3 -screen 1 1024x768x24 -ac reproducer $ export DISPLAY=:3.1 $ xcalc $ xdotool mousemove --screen 1 10 10 $ killall -2 xcalc Works with xterm too but not xev, xinput, so *something* is needed. The reduced 200 line PoC (attached) seems to require a `panedWidgetClass` for the bug to trigger. Requires moving from screen 0 to 1, what happend on screen 0 doesn't seem to matter and neither does moving back. If anyone has any ideas or pointers, I'll happily take them. The patch makes the issue go away, I'm just wondering if there is some other underlying issue that we're now papering over and/or are exposed to. Cheers, Peter
Created attachment 870426 [details] 0005-dix-always-initialize-pScreen-CloseScreen.patch Please note that the fix for CVE-2023-5574 (0004-fb-properly-wrap-unwrap-CloseScreen.patch) was buggy and can trigger a segfault in Xwayland on exit. A new patch is added to this sequence to mitigate this issue (0005-dix-always-initialize-pScreen-CloseScreen.patch) and will be part of tomorrow's disclosure and announcement. The other patches are unchanged to the original announcement. Thanks to Marc Deslauriers for finding this issue. Cheers, Peter
Ok. I just submitted fixed xorg-x11-server packages for sle12-sp5, sle15-sp2, sle15-sp4 and sle15-sp5. X11:XOrg, Tumbleweed and ALP updates will come once the issue has been officially announced.
is public https://lists.x.org/archives/xorg-announce/2023-October/003430.html 3) CVE-2023-5574: Use-after-free bug in DamageDestroy Introduced in: xorg-server-1.13.0 (2012) Found by: Sri working with Trend Micro Zero Day Initiative Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 This issue only affects Xvfb and requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). Screen cleanup is handled via stackable "modules", but the fb module hardcoded the cleanup path for the screen pixmap instead of calling into the next layer of the stack. This caused a minor memory leak that was fixed with a patch to Xvfb introduced in server 1.13. However, that patch did not remove all references to the freed pixmap, causing a use-after-free during screen cleanup in a lower module. This issue has not yet been fixed, please see the above merge request to track future fixes to this issue.
Ok. It's worse. I didn't yet patch xwayland at all to fix this ticket. :-( Working on it now ...
I just submitted fixed xwayland packages for sle15-sp4 and sle15-sp5.
(In reply to Stefan Dirsch from comment #11) > Ok. I just submitted fixed xorg-x11-server packages for sle12-sp5, > sle15-sp2, sle15-sp4 and sle15-sp5. X11:XOrg, Tumbleweed and ALP updates > will come once the issue has been officially announced. DONE. Same for xwayland. Reassigning.
SUSE-SU-2023:4272-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.7.1 Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1 Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4269-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.56.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4306-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5574 Sources used: openSUSE Leap 15.5 (src): xwayland-22.1.5-150500.7.5.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xwayland-22.1.5-150500.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4293-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5574 Sources used: openSUSE Leap 15.4 (src): xwayland-21.1.4-150400.3.20.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xwayland-21.1.4-150400.3.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4292-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.29.1 Basesystem Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1 Development Tools Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4338-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1216133, 1216135, 1216261 CVE References: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Proxy 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Retail Branch Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Manager Server 4.2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1128531 Factory / xwayland
This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1145978 Factory / xorg-x11-server
This is an autogenerated message for OBS integration: This bug (1216261) was mentioned in https://build.opensuse.org/request/show/1146120 Factory / xorg-x11-server
done