The corrective issues of X.org Server 21.1.11 and DDX component were published (Device-dependent x) xwayland 23.2.4, which ensures the launch of X.org Server for organization Fulfillment of X11 applications in the environment on the basis of Wayland. In the new versions, it was eliminated by 6 vulnerabilities, some of which can be operated to increase privileges in systems, in which the X-server is performed with Root rights, as well as for the remote code execution in configurations in which the X11 session is used to access the SSH.
Identified problems:
- CVE-2023-6816-Boofer overflow, arising when transmitting a certain oriented array index in operations DevicefocuseSevent and ProcXIqueryPointer. The vulnerability is caused by the fact that the X-server distinguishes the memory of the array, taking into account the actual number of buttons, while the request allows you to use values up to 255 in the array. The problem is manifested starting with the release of Xorg-Server-1.13.0 (2012).
- CVE-2024-0229-Record to the area outside the bureau boundary through re-binding to another Master device in the configuration, in which the device is simultaneously equipped with elements of the “button” and “Key” class (KEY), and at This number of buttons (Numbuttons parameter) is set at 0. The problem manifests itself starting with the release of Xorg-Server-1.1.1 (2006).
/Reports, release notes, official announcements.