xorg-x11-server-Xwayland-23.2.7-1.el9

エラータID: AXSA:2024-9300:04

Release date: 
Thursday, December 12, 2024 - 20:44
Subject: 
xorg-x11-server-Xwayland-23.2.7-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Xwayland is an X server for running X clients under Wayland.

Security Fix(es):

* xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents (CVE-2024-31080)
* xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice (CVE-2024-31081)
* xorg-x11-server: Use-after-free in ProcRenderAddGlyphs (CVE-2024-31083)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.5 Release Notes linked from the References section.

CVE-2024-31080
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31081
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31083
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.

Solution: 

Update packages.

CVEs: 
CVE-2024-31080
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31081
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31083
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
Additional Info: 

N/A

Download: 

SRPMS
  1. xorg-x11-server-Xwayland-23.2.7-1.el9.src.rpm
    MD5: 9e680a3b0e4e3aa2e7fbf7e24192b10f
    SHA-256: 44367e4921b3c1fc76219472830217c320450d464848bf767b6834620aafa238
    Size: 1.25 MB

Asianux Server 9 for x86_64
  1. xorg-x11-server-Xwayland-23.2.7-1.el9.i686.rpm
    MD5: 04766294f86f2f3b50d937f978c44cbc
    SHA-256: ef4f56f9f90640718f4863dda57553c49e568976956fcb1a70be6a51164ef358
    Size: 1.01 MB
  2. xorg-x11-server-Xwayland-23.2.7-1.el9.x86_64.rpm
    MD5: 33a6d3e58f73301d5cc06598d7ead5fa
    SHA-256: 3e5e35ce144b7f0279e6fa18040c1e33f7d055385919ada558d88370870d634b
    Size: 0.96 MB
  3. xorg-x11-server-Xwayland-devel-23.2.7-1.el9.i686.rpm
    MD5: 7fe416707df95f985da17fc3631eed27
    SHA-256: 49b102946bb56c545ea3440fd968b0e6aa48dc9620875db51bd8d3dcc3fe9d85
    Size: 8.72 kB
  4. xorg-x11-server-Xwayland-devel-23.2.7-1.el9.x86_64.rpm
    MD5: ff3482fd4e4d94cff6a88c2faef7b64e
    SHA-256: 5f7bd3752a0fc87238c06c5531b5e4ed2d521c5b4ebbb764c3fa3e71b3aabed9
    Size: 8.70 kB