Bug 2257690 (CVE-2024-0409)

Summary: CVE-2024-0409 xorg-x11-server: SELinux context corruption
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xorg-server-21.1.11, xwayland-23.2.4 Doc Type: ---
Doc Text:
A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258977, 2258978    
Bug Blocks: 2256538    

Description Patrick Del Bello 2024-01-10 14:02:02 UTC
The Xserver uses the mechanism of "privates" to store additional data to its own objects, each private has an associate "type". Each private is allocated for the relevant size of memory that is declared at creation.

The cursor structure in the Xserver goes as far as having two keys, one for the cursor itself and another one for the bits that make the cursor shape.

XSELINUX also uses privates but it's a bit of a special case because it uses the same privates keys for all different objects.

What happens here is that the cursor code in both Xephyr and Xwayland uses the wrong type of private at creation, using the cursor bits type with the cursor private and when initiating the cursor, the overwrites the XSELINUX context.

Comment 2 Sandipan Roy 2024-01-18 11:34:26 UTC
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2258978]


Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2258977]

Comment 4 errata-xmlrpc 2024-01-22 13:43:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0320 https://access.redhat.com/errata/RHSA-2024:0320

Comment 5 errata-xmlrpc 2024-04-30 09:43:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2170 https://access.redhat.com/errata/RHSA-2024:2170

Comment 6 errata-xmlrpc 2024-04-30 09:43:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2169 https://access.redhat.com/errata/RHSA-2024:2169

Comment 7 errata-xmlrpc 2024-05-22 09:32:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2995 https://access.redhat.com/errata/RHSA-2024:2995

Comment 8 errata-xmlrpc 2024-05-22 09:32:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2996 https://access.redhat.com/errata/RHSA-2024:2996