Bugzilla – Bug 1218585
VUL-0: CVE-2024-21886: xorg-x11-server,xwayland: Heap buffer overflow in DisableDevice
Last modified: 2024-02-12 10:40:29 UTC
CRD: 2024-01-16 via xorg-seucrity 4) CVE-2024-21886: Heap buffer overflow in DisableDevice Introduced in: xorg-server-1.13.0 (2012) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/e433d1046c222f9d969c2c28a4651ff9097614f4 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
I've submitted now xorg-x11-server and xwayland packages for sle12-sp5 sle15-sp2 sle15-sp4 sle15-sp5 I will take care of packages for ALP, sle15-sp6 and X11:XOrg/factory/Tumbleweed once the security update has been officially released.
Public now: https://lists.x.org/archives/xorg/2024-January/061525.html 4) CVE-2024-21886: Heap buffer overflow in DisableDevice Introduced in: xorg-server-1.13.0 (2012) Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 Fixes: - https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b - https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation. xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
Security update for xwayland now done in X11:XOrg devel project. Packages now submitted for factory/Tumbleweed, ALP and sle15-sp6. Security update for xwayland now done in X11:XOrg devel project. Packages now submitted for factory/Tumbleweed and ALP. SP6 inherits xorg-x11-server from sle15-sp6, for which I already submitted the fixes. Reassigning to security team.
This is an autogenerated message for OBS integration: This bug (1218585) was mentioned in https://build.opensuse.org/request/show/1139166 Factory / xwayland
This is an autogenerated message for OBS integration: This bug (1218585) was mentioned in https://build.opensuse.org/request/show/1139223 Factory / xorg-x11-server
This is an autogenerated message for OBS integration: This bug (1218585) was mentioned in https://build.opensuse.org/request/show/1139316 Factory / xwayland
This is an autogenerated message for OBS integration: This bug (1218585) was mentioned in https://build.opensuse.org/request/show/1139423 Factory / xwayland
SUSE-SU-2024:0121-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1218582, 1218583, 1218584, 1218585 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 SUSE Enterprise Storage 7.1 (src): xorg-x11-server-1.20.3-150200.22.5.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0116-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1218582, 1218583, 1218584, 1218585 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1 SUSE Linux Enterprise Server 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xorg-x11-server-1.19.6-10.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0114-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1218582, 1218583, 1218584, 1218585 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886 Sources used: openSUSE Leap 15.5 (src): xwayland-22.1.5-150500.7.14.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): xwayland-22.1.5-150500.7.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0111-1: An update that solves four vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1218176, 1218240, 1218582, 1218583, 1218584, 1218585 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886 Sources used: openSUSE Leap 15.4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise Real Time 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Manager Proxy 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Manager Retail Branch Server 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1 SUSE Manager Server 4.3 (src): xorg-x11-server-1.20.3-150400.38.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0109-1: An update that solves four vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1218176, 1218240, 1218582, 1218583, 1218584, 1218585 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886 Sources used: openSUSE Leap 15.5 (src): xorg-x11-server-21.1.4-150500.7.18.1 Basesystem Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.18.1 Development Tools Module 15-SP5 (src): xorg-x11-server-21.1.4-150500.7.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0165-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1218582, 1218583, 1218584, 1218585, 1218845, 1218846 CVE References: CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886 Sources used: openSUSE Leap 15.4 (src): xwayland-21.1.4-150400.3.31.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xwayland-21.1.4-150400.3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.