Bug 2244735 (CVE-2023-5574)

Summary: CVE-2023-5574 xorg-x11-server: Use-after-free bug in DamageDestroy
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: peter.hutterer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xorg-server-21.1.9 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2246139, 2247470    
Bug Blocks: 2242002    

Description Patrick Del Bello 2023-10-18 01:01:37 UTC 
Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189

This issue only affects Xvfb and requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod").

Screen cleanup is handled via stackable "modules", but the fb module hardcoded
the cleanup path for the screen pixmap instead of calling into the next layer
of the stack. This caused a minor memory leak that was fixed with a patch to
Xvfb introduced in server 1.13. However, that patch did not remove all
references to the freed pixmap, causing a use-after-free during screen cleanup
in a lower module.

This issue has not yet been fixed, please see the above merge request to
track future fixes to this issue.

Reference:
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Comment 2 Guilherme de Almeida Suckevicz 2023-10-25 14:39:04 UTC 
Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2246139]
Comment 3 Peter Hutterer 2023-10-27 01:44:49 UTC 
Updated comment #0 with the text from the actual advisory, the fixes for this issue had to be dropped just before the disclosure because they exposed issues in other, more commonly used components.
Comment 4 Guilherme de Almeida Suckevicz 2023-11-01 13:04:39 UTC 
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2247470]
Comment 6 errata-xmlrpc 2024-04-30 10:02:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2298 https://access.redhat.com/errata/RHSA-2024:2298