Bug 1218583 (CVE-2024-0229) - VUL-0: CVE-2024-0229: xorg-x11-server,xwayland: Reattaching to different master device may lead to out-of-bounds memory access
Summary: VUL-0: CVE-2024-0229: xorg-x11-server,xwayland: Reattaching to different mast...
Status: RESOLVED FIXED
Alias: CVE-2024-0229
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/390190/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0229:8.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-07 16:27 UTC by SMASH SMASH
Modified: 2024-03-26 07:47 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-07 16:27:41 UTC 
CRD: 2024-01-16
 via xorg-security

2) CVE-2024-0229: Reattaching to different master device may lead to
out-of-bounds memory access

Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ded6147bfb5d75ff1e67c858040a628b61bc17d1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

If a device has both a button class and a key class and numButtons is
zero, we can get an out-of-bounds write due to event under-allocation in
the DeliverStateNotifyEvent function.

xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
Comment 4 Stefan Dirsch 2024-01-08 14:32:08 UTC 
I've submitted now xorg-x11-server and xwayland packages for 

sle12-sp5
sle15-sp2
sle15-sp4
sle15-sp5

I will take care of packages for ALP, sle15-sp6 and X11:XOrg/factory/Tumbleweed once the security update has been officially released.
Comment 6 Gabriele Sonnu 2024-01-16 12:32:36 UTC 
Public now:

https://lists.x.org/archives/xorg/2024-January/061525.html

2) CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access

Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fixes:
  - https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5
  - https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5
  - https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

If a device has both a button class and a key class and numButtons is
zero, we can get an out-of-bounds write due to event under-allocation in
the DeliverStateNotifyEvent function.

xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
Comment 8 Stefan Dirsch 2024-01-16 14:33:05 UTC 
Security update for xwayland now done in X11:XOrg devel project. Packages now submitted for factory/Tumbleweed, ALP and sle15-sp6.

Security update for xwayland now done in X11:XOrg devel project. Packages now submitted for factory/Tumbleweed and ALP.
SP6 inherits xorg-x11-server from sle15-sp6, for which I already submitted the fixes.

Reassigning to security team.
Comment 10 OBSbugzilla Bot 2024-01-16 15:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1218583) was mentioned in
https://build.opensuse.org/request/show/1139166 Factory / xwayland
Comment 11 OBSbugzilla Bot 2024-01-16 17:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1218583) was mentioned in
https://build.opensuse.org/request/show/1139223 Factory / xorg-x11-server
Comment 13 OBSbugzilla Bot 2024-01-16 23:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1218583) was mentioned in
https://build.opensuse.org/request/show/1139316 Factory / xwayland
Comment 15 OBSbugzilla Bot 2024-01-17 11:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218583) was mentioned in
https://build.opensuse.org/request/show/1139423 Factory / xwayland
Comment 16 Maintenance Automation 2024-01-17 12:36:23 UTC 
SUSE-SU-2024:0121-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1218582, 1218583, 1218584, 1218585
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.88.1
SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-01-17 12:36:30 UTC 
SUSE-SU-2024:0116-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1218582, 1218583, 1218584, 1218585
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1
SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-01-17 12:36:32 UTC 
SUSE-SU-2024:0114-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1218582, 1218583, 1218584, 1218585
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886
Sources used:
openSUSE Leap 15.5 (src): xwayland-22.1.5-150500.7.14.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xwayland-22.1.5-150500.7.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2024-01-17 12:36:46 UTC 
SUSE-SU-2024:0111-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1218176, 1218240, 1218582, 1218583, 1218584, 1218585
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886
Sources used:
openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise Real Time 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Manager Proxy 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Manager Retail Branch Server 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1
SUSE Manager Server 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-01-17 12:36:52 UTC 
SUSE-SU-2024:0109-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1218176, 1218240, 1218582, 1218583, 1218584, 1218585
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886
Sources used:
openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.18.1
Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.18.1
Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-01-19 12:30:01 UTC 
SUSE-SU-2024:0165-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1218582, 1218583, 1218584, 1218585, 1218845, 1218846
CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886
Sources used:
openSUSE Leap 15.4 (src): xwayland-21.1.4-150400.3.31.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xwayland-21.1.4-150400.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.