Bug 2244736 (CVE-2023-5380)

Summary: CVE-2023-5380 xorg-x11-server: Use-after-free bug in DestroyWindow
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xorg-server-21.1.9 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2246140, 2247469    
Bug Blocks: 2242002    

Description Patrick Del Bello 2023-10-18 01:01:39 UTC 
This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed.

This bug can be triggered only under very specific conditions, in particular it requires an XWarpPointer call and that the pointer never enters a client window on the other screen.

Reference:
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Comment 2 Guilherme de Almeida Suckevicz 2023-10-25 14:39:43 UTC 
Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2246140]
Comment 3 Guilherme de Almeida Suckevicz 2023-11-01 13:02:53 UTC 
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2247469]
Comment 5 errata-xmlrpc 2023-11-21 15:38:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7428 https://access.redhat.com/errata/RHSA-2023:7428
Comment 6 errata-xmlrpc 2024-04-30 09:43:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2169 https://access.redhat.com/errata/RHSA-2024:2169
Comment 7 errata-xmlrpc 2024-04-30 10:02:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2298 https://access.redhat.com/errata/RHSA-2024:2298
Comment 8 errata-xmlrpc 2024-05-22 09:32:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2995 https://access.redhat.com/errata/RHSA-2024:2995
Comment 9 errata-xmlrpc 2024-05-22 09:43:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3067 https://access.redhat.com/errata/RHSA-2024:3067