X.org logo
It was recently announced release of the new corrective version of X.Org Server 21.1.11 and along with which the version of xwayland 23.2.4 was also released, which ensures the launch of X.Org Server to organize the execution of X11 applications in Wayland-based environments.
It is mentioned that the main reason of the release of this new version of X.Org 21.1.11, it is for the implementation of the patches necessary to correct 6 vulnerabilities, some of which can be exploited for privilege escalation on systems where the X server is running as root, as well as for remote code execution in setups that use X11 session redirection over SSH for access.
Vulnerabilities details
CVE-2023-6816: Buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
This security issue, identified as CVE-2023-6816, the issue has been evident since the release of xorg-server-1.13 (0). Buffer overflow occurs when passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer. The vulnerability can result in an overflow due to insufficient space allocation for the device's buttons.
CVE-2024-0229: Out of bounds memory access when reconnecting to a different master device
Vulnerability CVE-2024-0229, has been appearing since the release of xorg-server-1.1.1 (2006) and occurs due to an out-of-bounds buffer write by linking to another master device in a configuration where the device has button and key class input elements, and the number of buttons (numButtons parameter) is set to 0.
CVE-2024-21885: Buffer overflow in XISendDeviceHierarchyEvent
Vulnerability CVE-2024-21885, has been appearing since xorg-server-1.10.0 release (2010) and may result in a buffer overflow due to insufficient space allocation on XISendDeviceHierarchyEvent when a device with a given ID is removed and a device with the same ID is added in the same request.
The vulnerability is mentioned to be due to the fact that during a double operation for an identifier, two instances of the structure are written xXIHierarchyInfo at the same time, while the function XISendDeviceHierarchyEvent allocates memory for an instance.
CVE-2024-21886: Buffer Overflow in DisableDevice
Vulnerability CVE-2024-21886, has been appearing since the release of xorg-server-1.13.0 (2012) and allows a buffer overflow in the DisableDevice function which occurs when a master device is disabled while the slave devices are already disabled. The vulnerability is due to an incorrect calculation of the size of the structure to store the list of devices.
CVE-2024-0409: SELinux context corruption
Vulnerability CVE-2024-0409, discovered in xorg-server-1.16.0, results in corruption of the SELinux context due to incorrect use of the "privates" mechanism to store additional data.
Xserver uses the mechanism in its own objects, each private has a "type" associated with it. Each "private" is allocated for the relevant memory size that is declared at creation time. The cursor structure in the Xserver even has two keys, one for the cursor itself and another for the bits that shape the cursor. XSELINUX also uses private keys, but it is a bit of a special case because it uses the same keys for all different objects.
What happens here is that the cursor code in both Xephyr and Xwayland uses the wrong type of "private" on creation, uses the cursor bittype with the private cursor, and upon starting the cursor, overwrites the XSELINUX context.
CVE-2024-0408: Untagged SELinux GLX PBuffer
Vulnerability CVE-2024-0408, present in xorg-server-1.10.0 (2010), allows resources X to remain untagged, which can result in local privilege escalation. The XSELINUX code on the X server tags X resources based on a link.
What happens here is that the GLX PBuffer code does not call the XACE hook when it creates the buffer, so it remains untagged, and when the client issues another request to access that resource or even when it creates another resource it needs to access that buffer, the XSELINUX code will attempt to use an object that was never tagged and fails because the SID is NULL.
It is worth mentioning that this new corrective version is already available in most of the repositories of the main Linux distributions and therefore the recommendation is made to update to the new version as soon as possible.
finally if you are interested in knowing more about it, you can check the details in the following link