oss-sec mailing list archives
Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
From: Olivier Fourdan <ofourdan () redhat com>
Date: Wed, 29 Mar 2023 14:31:54 +0200
-------- Forwarded Message -------- Subject: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free Date: Wed, 29 Mar 2023 14:15:05 +0200 From: Olivier Fourdan <ofourdan () redhat com> To: xorg-announce () lists x org CC: xorg () lists x org, xorg-devel <xorg-devel () lists x org>, zdi-disclosures () trendmicro com X.Org Security Advisory: March 29, 2023 X.Org Server Overlay Window Use-After-Free ========================================== This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Patches ------- Patch for this issue have been committed to the xorg server git repository. xorg-server 21.1.8 will be released shortly and will include this patch. - commit 26ef545b3 - composite: Fix use-after-free of the COW (https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3) ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. Thanks ====== The vulnerabilities have been discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
Attachment:
OpenPGP_0x14706DBE1E4B4540.asc
Description: OpenPGP public key
Current thread:
- Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free Olivier Fourdan (Mar 29)