Bug 2244736 (CVE-2023-5380) - CVE-2023-5380 xorg-x11-server: Use-after-free bug in DestroyWindow
Summary: CVE-2023-5380 xorg-x11-server: Use-after-free bug in DestroyWindow
Keywords:
Status: NEW
Alias: CVE-2023-5380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2246140 2247469
Blocks: 2242002
TreeView+ depends on / blocked
 
Reported: 2023-10-18 01:01 UTC by Patrick Del Bello
Modified: 2024-05-22 09:43 UTC (History)
1 user (show)

Fixed In Version: xorg-server-21.1.9
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7428 0 None None None 2023-11-21 15:38:09 UTC
Red Hat Product Errata RHSA-2024:2169 0 None None None 2024-04-30 09:43:23 UTC
Red Hat Product Errata RHSA-2024:2298 0 None None None 2024-04-30 10:02:33 UTC
Red Hat Product Errata RHSA-2024:2995 0 None None None 2024-05-22 09:32:35 UTC
Red Hat Product Errata RHSA-2024:3067 0 None None None 2024-05-22 09:43:37 UTC

Description Patrick Del Bello 2023-10-18 01:01:39 UTC 
This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed.

This bug can be triggered only under very specific conditions, in particular it requires an XWarpPointer call and that the pointer never enters a client window on the other screen.

Reference:
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Comment 2 Guilherme de Almeida Suckevicz 2023-10-25 14:39:43 UTC 
Created xorg-x11-server tracking bugs for this issue:

Affects: fedora-all [bug 2246140]
Comment 3 Guilherme de Almeida Suckevicz 2023-11-01 13:02:53 UTC 
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 2247469]
Comment 5 errata-xmlrpc 2023-11-21 15:38:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7428 https://access.redhat.com/errata/RHSA-2023:7428
Comment 6 errata-xmlrpc 2024-04-30 09:43:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2169 https://access.redhat.com/errata/RHSA-2024:2169
Comment 7 errata-xmlrpc 2024-04-30 10:02:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2298 https://access.redhat.com/errata/RHSA-2024:2298
Comment 8 errata-xmlrpc 2024-05-22 09:32:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2995 https://access.redhat.com/errata/RHSA-2024:2995
Comment 9 errata-xmlrpc 2024-05-22 09:43:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3067 https://access.redhat.com/errata/RHSA-2024:3067
Note You need to log in before you can comment on or make changes to this bug.