2244735 – (CVE-2023-5574) CVE-2023-5574 xorg-x11-server: Use-after-free bug in DamageDestroy

Bug 2244735 (CVE-2023-5574) - CVE-2023-5574 xorg-x11-server: Use-after-free bug in DamageDestroy

Summary: CVE-2023-5574 xorg-x11-server: Use-after-free bug in DamageDestroy

Keywords:
Status:	NEW
Alias:	CVE-2023-5574
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2246139 2247470
Blocks:	2242002
TreeView+	depends on / blocked

Reported:	2023-10-18 01:01 UTC by Patrick Del Bello
Modified:	2024-04-30 10:02 UTC (History)
CC List:	2 users (show)
Fixed In Version:	xorg-server-21.1.9
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2298	0	None	None	None	2024-04-30 10:02:30 UTC

Description Patrick Del Bello 2023-10-18 01:01:37 UTC

Merge request tracking the fixes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189

This issue only affects Xvfb and requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod").

Screen cleanup is handled via stackable "modules", but the fb module hardcoded
the cleanup path for the screen pixmap instead of calling into the next layer
of the stack. This caused a minor memory leak that was fixed with a patch to
Xvfb introduced in server 1.13. However, that patch did not remove all
references to the freed pixmap, causing a use-after-free during screen cleanup
in a lower module.

This issue has not yet been fixed, please see the above merge request to
track future fixes to this issue.

Reference:
https://lists.x.org/archives/xorg-announce/2023-October/003430.html

Comment 2 Guilherme de Almeida Suckevicz 2023-10-25 14:39:04 UTC

Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2246139]

Comment 3 Peter Hutterer 2023-10-27 01:44:49 UTC

Updated comment #0 with the text from the actual advisory, the fixes for this issue had to be dropped just before the disclosure because they exposed issues in other, more commonly used components.

Comment 4 Guilherme de Almeida Suckevicz 2023-11-01 13:04:39 UTC

Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2247470]

Comment 6 errata-xmlrpc 2024-04-30 10:02:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2298 https://access.redhat.com/errata/RHSA-2024:2298

Note You need to log in before you can comment on or make changes to this bug.