'[oss-security] Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Fr'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Fr
From:       Olivier Fourdan <ofourdan () redhat ! com>
Date:       2023-03-29 12:31:54
Message-ID: 1e4b5d5c-f78e-348e-7651-6013bcd54fc5 () redhat ! com
[Download RAW message or body]


-------- Forwarded Message --------
Subject: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Date: Wed, 29 Mar 2023 14:15:05 +0200
From: Olivier Fourdan <ofourdan@redhat.com>
To: xorg-announce@lists.x.org
CC: xorg@lists.x.org, xorg-devel <xorg-devel@lists.x.org>, zdi-disclosures@trendmicro.com

X.Org Security Advisory: March 29, 2023

X.Org Server Overlay Window Use-After-Free
==========================================

This issue can lead to local privileges elevation on systems where the X
server is running privileged and remote code execution for ssh X forwarding
sessions.

ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability

If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Patches
-------
Patch for this issue have been committed to the xorg server git repository.
xorg-server 21.1.8 will be released shortly and will include this patch.

- commit 26ef545b3 - composite: Fix use-after-free of the COW
    (https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3)

ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
["OpenPGP_0x14706DBE1E4B4540.asc" (application/pgp-keys)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic