Bugzilla – Bug 1217766
VUL-0: CVE-2023-6478: xorg-x11-security,xwayland: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
Last modified: 2024-03-28 05:32:07 UTC
via xorg-security CRD: 2023-12-13 X.Org Security Advisory: December 13, 2023 Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3 ====================================================================== Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.10 and xwayland-23.2.3. 2) CVE-2023-6478 can be triggered by sending a specially crafted request RRChangeProviderProperty or RRChangeOutputProperty. This will trigger an integer overflow and lead to disclosure of information. 2) CVE-2023-6478: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty Introduced in: xorg-server-1.4.0 (2007) and xorg-server-1.13.0 (2012), respectively Fixed in: xorg-server-21.1.10 and xwayland-23.2.3 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->nUnits bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB. See also CVE-2022-46344 where this issue was fixed for other requests. xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.
Created attachment 871126 [details] 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch 0001-randr-avoid-integer-truncation-in-length-check-of-Pr.patch
I've just submitted xorg-x11-server and xwayland updates for sle15-sp5,sp4,sp2 and sle12-sp5. Unfortunately I'm already on vacation on CRD next wekk. I'll update devel project X11:XOrg, factory/TW, SP6 and ALP when I'm back on January 8th.
is public CVE-2023-6478 has following references: CVE-2023-6478: https://www.cve.org/CVERecord?id=CVE-2023-6478 https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632 https://lists.x.org/archives/xorg-announce/2023-December/003435.html: https://lists.x.org/archives/xorg-announce/2023-December/003435.html
This is an autogenerated message for OBS integration: This bug (1217766) was mentioned in https://build.opensuse.org/request/show/1132832 Factory / xwayland https://build.opensuse.org/request/show/1132834 Factory / xorg-x11-server
SUSE-SU-2023:4792-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: openSUSE Leap 15.4 (src): xwayland-21.1.4-150400.3.23.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xwayland-21.1.4-150400.3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4791-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.32.1 Basesystem Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.32.1 Development Tools Module 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4790-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.59.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.59.1 SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.59.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4789-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.82.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4788-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: openSUSE Leap 15.5 (src): xwayland-22.1.5-150500.7.8.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xwayland-22.1.5-150500.7.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4787-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1217765, 1217766 CVE References: CVE-2023-6377, CVE-2023-6478 Sources used: openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.10.1 Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.10.1 Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.