Bug 2317233 (CVE-2024-9632)

Summary: CVE-2024-9632 xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jexposit, rgatica, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-10-29   

Description OSIDB Bzimport 2024-10-08 13:44:52 UTC 
The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, it didn't update its size properly. It updated `num_si` only, without `size_si`:
https://gitlab.freedesktop.org/xorg/xserver/-/blob/cdb4d5648a818a8e8ab282341be37109589229ab/xkb/xkb.c#L2998

The exploit uses bitmap to achieve the arbitrary read and write. It leads to LPE for some distributions (xorg in debian xfce is run as root under specific display driver) and RCE for ssh x11 forwarding environment.

The exploit doesn't work if the OS installed on vmware and default
virtualbox. It works on virtualbox with VBoxVGA graphic controller.
Comment 6 errata-xmlrpc 2024-11-04 08:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:8798 https://access.redhat.com/errata/RHSA-2024:8798
Comment 8 errata-xmlrpc 2024-11-13 14:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:9540 https://access.redhat.com/errata/RHSA-2024:9540
Comment 9 errata-xmlrpc 2024-11-13 18:17:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:9579 https://access.redhat.com/errata/RHSA-2024:9579
Comment 10 errata-xmlrpc 2024-11-13 19:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:9601 https://access.redhat.com/errata/RHSA-2024:9601
Comment 11 errata-xmlrpc 2024-11-14 18:40:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:9690 https://access.redhat.com/errata/RHSA-2024:9690
Comment 12 errata-xmlrpc 2024-11-18 01:20:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:9818 https://access.redhat.com/errata/RHSA-2024:9818
Comment 13 errata-xmlrpc 2024-11-18 01:27:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:9820 https://access.redhat.com/errata/RHSA-2024:9820
Comment 14 errata-xmlrpc 2024-11-18 01:32:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:9819 https://access.redhat.com/errata/RHSA-2024:9819
Comment 15 errata-xmlrpc 2024-11-18 01:32:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:9816 https://access.redhat.com/errata/RHSA-2024:9816
Comment 16 errata-xmlrpc 2024-11-18 19:20:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:9901 https://access.redhat.com/errata/RHSA-2024:9901
Comment 17 errata-xmlrpc 2024-11-20 11:57:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10090 https://access.redhat.com/errata/RHSA-2024:10090
Comment 20 errata-xmlrpc 2025-05-13 10:14:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7163 https://access.redhat.com/errata/RHSA-2025:7163
Comment 21 errata-xmlrpc 2025-05-13 10:14:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7165 https://access.redhat.com/errata/RHSA-2025:7165
Comment 22 errata-xmlrpc 2025-05-13 15:54:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7458 https://access.redhat.com/errata/RHSA-2025:7458