Jan-Niklas Sohn

**Name of the Vulnerable Software and Affected Versions** xwayland versions prior to 24.1.9-2.1 xorg-x11-server versions prior to 21.1.21-5.1 **Description** Security issues were identified in xwayland and xorg-x11-server. **Recommendations** Update xwayland to version 24.1.9-2.1. Update xorg-x11-server to version 21.1.21-5.1.

**Name of the Vulnerable Software and Affected Versions** xwayland versions prior to 24.1.9-2.1 xorg-x11-server versions prior to 21.1.21-5.1 **Description** Security issues were identified in xwayland and xorg-x11-server. **Recommendations** Update xwayland to version 24.1.9-2.1. Update xorg-x11-server to version 21.1.21-5.1.

**Name of the Vulnerable Software and Affected Versions** X.Org Server versions prior to 21.1.14 **Description** A flaw was found in the X.org server due to improperly tracked allocation size in ` XkbSetCompatMap`, allowing a local attacker to trigger a buffer overflow condition via a specially crafted payload. This can lead to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. The issue is estimated to have been present for 18 years, affecting various Linux distributions and potentially other systems. **Recommendations** For X.Org Server versions prior to 21.1.14, update to version 21.1.14 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ` XkbSetCompatMap` function until a patch is available. Additionally, ensure that the X.org server is not run with root privileges unless necessary, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server (affected versions not specified) **Description** A flaw was found in xorg-server, related to the handling of XKB button actions, which can result in out-of-bounds memory reads and writes when querying or changing these actions, such as moving from a touchpad to a mouse. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xorg-server (affected versions not specified) **Description** A flaw was found in xorg-server, where a specially crafted request to `RRChangeProviderProperty` or `RRChangeOutputProperty` can trigger an integer overflow, potentially leading to the disclosure of sensitive information. This issue may allow a remote attacker to exploit the vulnerability and disclose confidential information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server (affected versions not specified) **Description** A use-after-free flaw was found in the xorg-x11-server, which can cause an X server crash in a very specific and legacy configuration, known as Zaphod mode, where a multi-screen setup with multiple protocol screens is used. This issue occurs when the pointer is warped from within a window on one screen to the root window of the other screen, and the original window is destroyed followed by another window being destroyed. The exploitation of this flaw may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server (affected versions not specified) **Description** A flaw was found in the xorg-x11-server due to an incorrect calculation of a buffer offset when copying data stored in the heap. This issue affects the `XIChangeDeviceProperty` function in `Xi/xiproperty.c` and the `RRChangeOutputProperty` function in `randr/rrproperty.c`, allowing for possible escalation of privileges or denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org Server versions prior to 21.1.7 **Description** A vulnerability was found in X.Org due to a dangling pointer in `DeepCopyPointerClasses` that can be exploited by `ProcXkbSetDeviceInfo()` and `ProcXkbGetDeviceInfo()` to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions. **Recommendations** For X.Org Server versions prior to 21.1.7, update to version 21.1.7 to resolve the issue. As a temporary workaround, consider restricting access to the `ProcXkbSetDeviceInfo()` and `ProcXkbGetDeviceInfo()` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** X.Org (affected versions not specified) **Description** A security flaw in X.Org occurs because the handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. The vulnerability is related to the ProcXIPassiveUngrabDevice function and is associated with a buffer overflow, allowing a remote attacker to access confidential data, compromise their integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org (affected versions not specified) **Description** A security flaw was found in the handler for the `XIChangeProperty` request, resulting in length-validation issues and out-of-bounds memory reads. This can lead to potential information disclosure, local privileges elevation on systems where the X server is running privileged, and remote code execution for ssh X forwarding sessions. The issue is related to reading beyond the valid boundaries of a data buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org (affected versions not specified) **Description** A security flaw was found in the handler for the `ScreenSaverSetAttributes` request, which may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. The vulnerability can also allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org (affected versions not specified) **Description** A security issue was found in X.Org due to the handler for the `XvdiSelectVideoNotify` request writing to memory after it has been freed. This can lead to local privileges elevation on systems where the X server is running. The issue may also allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org Server (affected versions not specified) **Description** The issue is related to a buffer overflow in the XTestSwapFakeInput function of the X.Org Server, which can be exploited by a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability occurs because the swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through the XTestFakeInput request. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. However, it does not affect systems where the client and server use the same byte order. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** X.Org Server versions prior to 21.1.8 xwayland versions prior to 23.1.1 **Description** A flaw was found in X.Org Server Overlay Window, where a Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window, the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. This issue may be exploited to elevate privileges in systems where the X server runs with root privileges. **Recommendations** For X.Org Server versions prior to 21.1.8, update to version 21.1.8 or later to resolve the issue. For xwayland versions prior to 23.1.1, update to version 23.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the compositor overlay window to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server versions before 21.1.2 and before 1.20.14 **Description** The issue is related to an out-of-bounds access in the `SProcRenderCompositeGlyphs()` function of the X.Org Server, which can lead to data confidentiality and integrity issues, as well as system availability problems. An attacker can exploit this by sending a specially crafted CompositeGlyphs request, potentially allowing them to execute arbitrary code with elevated privileges. **Recommendations** For versions before 21.1.2 and before 1.20.14, update to version 21.1.2 or 1.20.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the `SProcRenderCompositeGlyphs()` function in the Render extension until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server versions before 21.1.2 xorg-x11-server versions before 1.20.14 **Description** A flaw was found in the `SProcXFixesCreatePointerBarrier` function, which can cause an out-of-bounds access. This issue poses a threat to data confidentiality and integrity, as well as system availability. The vulnerability can be exploited to gain access to confidential data, disrupt data integrity, and cause a denial of service. **Recommendations** For xorg-x11-server versions before 21.1.2, update to version 21.1.2 or later. For xorg-x11-server versions before 1.20.14, update to version 1.20.14 or later. As a temporary workaround, consider disabling the `SProcXFixesCreatePointerBarrier` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server versions prior to 21.1.2 xorg-x11-server versions prior to 1.20.14 **Description** A flaw in xorg-x11-server can produce an out-of-bounds access in the `SProcScreenSaverSuspend` function. The highest threat from this issue is to data confidentiality and integrity as well as system availability. An out-of-bounds access can occur, potentially allowing an attacker to access confidential data, disrupt its integrity, and cause a denial of service. **Recommendations** For xorg-x11-server versions prior to 21.1.2, update to version 21.1.2 or later. For xorg-x11-server versions prior to 1.20.14, update to version 1.20.14 or later. As a temporary workaround, consider disabling the `SProcScreenSaverSuspend` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xorg-x11-server versions prior to 21.1.2 xorg-x11-server versions prior to 1.20.14 **Description** A flaw was found in the xorg-x11-server, where an out-of-bounds access can occur in the `SwapCreateRegister` function. This issue is related to the X Window System X.Org Server implementation and is associated with an out-of-bounds operation in the data buffer. The highest threat from this issue is to data confidentiality and integrity as well as system availability. Exploitation of the flaw may allow an attacker to access confidential data, compromise their integrity, and cause a denial of service. The vulnerability can be exploited by sending specially crafted requests, such as `RecordCreateContext` and `RecordRegisterClients`, to execute arbitrary code with elevated privileges. **Recommendations** For xorg-x11-server versions prior to 21.1.2, update to version 21.1.2 or later. For xorg-x11-server versions prior to 1.20.14, update to version 1.20.14 or later. As a temporary workaround, consider disabling the `SwapCreateRegister` function until a patch is available. Restrict access to the Record extension to minimize the risk of exploitation. Avoid using the `RecordCreateContext` and `RecordRegisterClients` requests in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Xorg-x11-server (affected versions not specified) **Description** A flaw was found in the Xorg-x11-server, where an out-of-bounds access issue can occur in the `ProcXkbSetGeometry` function due to improper validation of the request length. This can allow a remote attacker to execute arbitrary code or elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xorg-x11-server (affected versions not specified) **Description** A flaw was found in the handling of `ProcXkbSetDeviceInfo` requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.