A vulnerability in xorg-server and xwayland. ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used. Introduced in: prior to X11R6.7 (2004)
Created tigervnc tracking bugs for this issue: Affects: fedora-all [bug 2273317] Created xorg-x11-server tracking bugs for this issue: Affects: fedora-all [bug 2273315] Created xorg-x11-server-Xwayland tracking bugs for this issue: Affects: fedora-all [bug 2273316]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:1785 https://access.redhat.com/errata/RHSA-2024:1785
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2037 https://access.redhat.com/errata/RHSA-2024:2037
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:2036 https://access.redhat.com/errata/RHSA-2024:2036
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Telecommunications Update Service Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:2041 https://access.redhat.com/errata/RHSA-2024:2041
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2039 https://access.redhat.com/errata/RHSA-2024:2039
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:2042 https://access.redhat.com/errata/RHSA-2024:2042
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:2040 https://access.redhat.com/errata/RHSA-2024:2040
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2038 https://access.redhat.com/errata/RHSA-2024:2038
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:2080 https://access.redhat.com/errata/RHSA-2024:2080
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2616 https://access.redhat.com/errata/RHSA-2024:2616