Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2023-2335

Related Vulnerabilities: CVE-2023-5367   CVE-2023-5380  

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. (CVE-2023-5367) A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. (CVE-2023-5380)

Source

ALAS-2023-2335

Amazon Linux 2 Security Advisory: ALAS-2023-2335
Advisory Release Date: 2023-11-09 19:19 Pacific
Advisory Updated Date: 2023-11-15 21:10 Pacific
Severity: Important
Issue Overview:

A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. (CVE-2023-5367)

A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. (CVE-2023-5380)


Affected Packages:

xorg-x11-server


Issue Correction:
Run yum update xorg-x11-server to update your system.

New Packages:
aarch64:
    xorg-x11-server-common-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-devel-1.20.4-22.amzn2.0.1.aarch64
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.1.aarch64

i686:
    xorg-x11-server-common-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-devel-1.20.4-22.amzn2.0.1.i686
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.1.i686

noarch:
    xorg-x11-server-source-1.20.4-22.amzn2.0.1.noarch

src:
    xorg-x11-server-1.20.4-22.amzn2.0.1.src

x86_64:
    xorg-x11-server-common-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-devel-1.20.4-22.amzn2.0.1.x86_64
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2023-5367, CVE-2023-5380

Mitre: CVE-2023-5367, CVE-2023-5380

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started