Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6587-1

Ubuntu Security Notice 6587-1 - Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code.

Packet Storm
#vulnerability#ubuntu#linux#dos

==========================================================================
Ubuntu Security Notice USN-6587-1
January 16, 2024

xorg-server, xwayland vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.10
  • Ubuntu 23.04
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in X.Org X Server.

Software Description:

  • xorg-server: X.Org X11 server
  • xwayland: X server for running X clients under Wayland

Details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An
attacker could possibly use this issue to cause the X Server to crash,
obtain sensitive information, or execute arbitrary code. (CVE-2023-6816)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
reattaching to a different master device. An attacker could use this issue
to cause the X Server to crash, leading to a denial of service, or possibly
execute arbitrary code. (CVE-2024-0229)

Olivier Fourdan and Donn Seeley discovered that the X.Org X Server
incorrectly labeled GLX PBuffers when used with SELinux. An attacker could
use this issue to cause the X Server to crash, leading to a denial of
service. (CVE-2024-0408)

Olivier Fourdan discovered that the X.Org X Server incorrectly handled
the curser code when used with SELinux. An attacker could use this issue to
cause the X Server to crash, leading to a denial of service.
(CVE-2024-0409)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the XISendDeviceHierarchyEvent API. An attacker
could possibly use this issue to cause the X Server to crash, or execute
arbitrary code. (CVE-2024-21885)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
devices being disabled. An attacker could possibly use this issue to cause
the X Server to crash, or execute arbitrary code. (CVE-2024-21886)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
xserver-xorg-core 2:21.1.7-3ubuntu2.6
xwayland 2:23.2.0-1ubuntu0.4

Ubuntu 23.04:
xserver-xorg-core 2:21.1.7-1ubuntu3.6
xwayland 2:22.1.8-1ubuntu1.4

Ubuntu 22.04 LTS:
xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.7
xwayland 2:22.1.1-1ubuntu0.10

Ubuntu 20.04 LTS:
xserver-xorg-core 2:1.20.13-1ubuntu1~20.04.14
xwayland 2:1.20.13-1ubuntu1~20.04.14

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6587-1
CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409,
CVE-2024-21885, CVE-2024-21886

Package Information:
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-3ubuntu2.6
https://launchpad.net/ubuntu/+source/xwayland/2:23.2.0-1ubuntu0.4
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-1ubuntu3.6
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.8-1ubuntu1.4
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.7
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.10
https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.14

Related news

Ubuntu Security Notice USN-6587-5

Ubuntu Security Notice 6587-5 - USN-6587-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 14.04 LTS. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information.

Ubuntu Security Notice USN-6587-4

Ubuntu Security Notice 6587-4 - USN-6587-1 fixed vulnerabilities in X.Org X Server. The fix was incomplete resulting in a possible regression. This update fixes the problem. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code.

Red Hat Security Advisory 2024-0629-03

Red Hat Security Advisory 2024-0629-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 7. Issues addressed include a buffer overflow vulnerability.

Red Hat Security Advisory 2024-0626-03

Red Hat Security Advisory 2024-0626-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

Red Hat Security Advisory 2024-0617-03

Red Hat Security Advisory 2024-0617-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a buffer overflow vulnerability.

Gentoo Linux Security Advisory 202401-30

Gentoo Linux Security Advisory 202401-30 - Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in privilege escalation or remote code execution. Versions greater than or equal to 21.1.11 are affected.

Ubuntu Security Notice USN-6587-3

Ubuntu Security Notice 6587-3 - USN-6587-1 fixed vulnerabilities in X.Org X Server. The fix was incomplete resulting in a possible regression. This update fixes the problem. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser co...

Debian Security Advisory 5603-1

Debian Linux Security Advisory 5603-1 - Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service.

Red Hat Security Advisory 2024-0320-03

Red Hat Security Advisory 2024-0320-03 - An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7. Issues addressed include a buffer overflow vulnerability.

Ubuntu Security Notice USN-6587-2

Ubuntu Security Notice 6587-2 - USN-6587-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6