CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions Introduced in: xorg-server-1.6.0 (2009) Fixed in: xorg-server-21.1.10 and xwayland-23.2.3 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative A device has XKB button actions for each button on the device. When a logical device switch happens (e.g. moving from a touchpad to a mouse), the server re-calculates the information available on the respective master device (typically the Virtual Core Pointer). This re-calculation only allocated enough memory for a single XKB action rather instead of enough for the newly active physical device's number of button. As a result, querying or changing the XKB button actions results in out-of-bounds memory reads and writes. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh). xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.
This CVE is public now: https://lists.x.org/archives/xorg-announce/2023-December/003435.html
Upstream Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
Created xorg-x11-server tracking bugs for this issue: Affects: fedora-all [bug 2254291] Created xorg-x11-server-Xwayland tracking bugs for this issue: Affects: fedora-all [bug 2254292]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7886 https://access.redhat.com/errata/RHSA-2023:7886
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:0009 https://access.redhat.com/errata/RHSA-2024:0009
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:0017 https://access.redhat.com/errata/RHSA-2024:0017
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:0006 https://access.redhat.com/errata/RHSA-2024:0006
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0010 https://access.redhat.com/errata/RHSA-2024:0010
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0014 https://access.redhat.com/errata/RHSA-2024:0014
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0015 https://access.redhat.com/errata/RHSA-2024:0015
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:0016 https://access.redhat.com/errata/RHSA-2024:0016
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:0020 https://access.redhat.com/errata/RHSA-2024:0020
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0018 https://access.redhat.com/errata/RHSA-2024:0018