Bug 2272000 (CVE-2024-31083)

Summary:	CVE-2024-31083 xorg-x11-server: Use-after-free in ProcRenderAddGlyphs
Product:	[Other] Security Response	Reporter:	TEJ RATHI <trathi>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	xorg-server 21.1.12, xwayland 23.2.5	Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2273315, 2273316, 2273317
Bug Blocks:	2272001

Description TEJ RATHI 2024-03-28 04:27:05 UTC

A vulnerability in xorg-server and xwayland. ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server.  AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs.

ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.

Introduced in: prior to X11R6.7 (2004)

Comment 3 Sandipan Roy 2024-04-04 07:49:35 UTC

Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2273317]


Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2273315]


Created xorg-x11-server-Xwayland tracking bugs for this issue:

Affects: fedora-all [bug 2273316]

Comment 5 errata-xmlrpc 2024-04-11 16:50:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1785 https://access.redhat.com/errata/RHSA-2024:1785

Comment 6 errata-xmlrpc 2024-04-24 15:28:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2037 https://access.redhat.com/errata/RHSA-2024:2037

Comment 7 errata-xmlrpc 2024-04-24 15:32:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2036 https://access.redhat.com/errata/RHSA-2024:2036

Comment 8 errata-xmlrpc 2024-04-24 15:33:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2041 https://access.redhat.com/errata/RHSA-2024:2041

Comment 9 errata-xmlrpc 2024-04-24 15:39:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2039 https://access.redhat.com/errata/RHSA-2024:2039

Comment 10 errata-xmlrpc 2024-04-24 15:42:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:2042 https://access.redhat.com/errata/RHSA-2024:2042

Comment 11 errata-xmlrpc 2024-04-24 15:44:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2040 https://access.redhat.com/errata/RHSA-2024:2040

Comment 12 errata-xmlrpc 2024-04-24 15:45:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2038 https://access.redhat.com/errata/RHSA-2024:2038

Comment 13 errata-xmlrpc 2024-04-29 02:46:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:2080 https://access.redhat.com/errata/RHSA-2024:2080

Comment 14 errata-xmlrpc 2024-04-30 16:41:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2616 https://access.redhat.com/errata/RHSA-2024:2616

Comment 16 errata-xmlrpc 2024-05-22 11:39:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3258 https://access.redhat.com/errata/RHSA-2024:3258

Comment 17 errata-xmlrpc 2024-05-22 11:40:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3261 https://access.redhat.com/errata/RHSA-2024:3261

Comment 18 errata-xmlrpc 2024-05-23 15:28:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3343 https://access.redhat.com/errata/RHSA-2024:3343

Comment 22 errata-xmlrpc 2024-11-12 08:43:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9093 https://access.redhat.com/errata/RHSA-2024:9093

Comment 23 errata-xmlrpc 2024-11-12 08:52:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9122 https://access.redhat.com/errata/RHSA-2024:9122