Bug 2257690 (CVE-2024-0409) - CVE-2024-0409 xorg-x11-server: SELinux context corruption
Summary: CVE-2024-0409 xorg-x11-server: SELinux context corruption
Keywords:
Status: NEW
Alias: CVE-2024-0409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2258977 2258978
Blocks: 2256538
TreeView+ depends on / blocked
 
Reported: 2024-01-10 14:02 UTC by Patrick Del Bello
Modified: 2024-05-22 09:32 UTC (History)
1 user (show)

Fixed In Version: xorg-server-21.1.11, xwayland-23.2.4
Doc Type: ---
Doc Text:
A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0320 0 None None None 2024-01-22 13:43:32 UTC
Red Hat Product Errata RHSA-2024:2169 0 None None None 2024-04-30 09:43:31 UTC
Red Hat Product Errata RHSA-2024:2170 0 None None None 2024-04-30 09:43:20 UTC
Red Hat Product Errata RHSA-2024:2995 0 None None None 2024-05-22 09:32:44 UTC
Red Hat Product Errata RHSA-2024:2996 0 None None None 2024-05-22 09:32:56 UTC

Description Patrick Del Bello 2024-01-10 14:02:02 UTC 
The Xserver uses the mechanism of "privates" to store additional data to its own objects, each private has an associate "type". Each private is allocated for the relevant size of memory that is declared at creation.

The cursor structure in the Xserver goes as far as having two keys, one for the cursor itself and another one for the bits that make the cursor shape.

XSELINUX also uses privates but it's a bit of a special case because it uses the same privates keys for all different objects.

What happens here is that the cursor code in both Xephyr and Xwayland uses the wrong type of private at creation, using the cursor bits type with the cursor private and when initiating the cursor, the overwrites the XSELINUX context.
Comment 2 Sandipan Roy 2024-01-18 11:34:26 UTC 
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2258978]


Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2258977]
Comment 4 errata-xmlrpc 2024-01-22 13:43:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0320 https://access.redhat.com/errata/RHSA-2024:0320
Comment 5 errata-xmlrpc 2024-04-30 09:43:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2170 https://access.redhat.com/errata/RHSA-2024:2170
Comment 6 errata-xmlrpc 2024-04-30 09:43:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2169 https://access.redhat.com/errata/RHSA-2024:2169
Comment 7 errata-xmlrpc 2024-05-22 09:32:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2995 https://access.redhat.com/errata/RHSA-2024:2995
Comment 8 errata-xmlrpc 2024-05-22 09:32:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2996 https://access.redhat.com/errata/RHSA-2024:2996
Note You need to log in before you can comment on or make changes to this bug.