XWayland & X.Org Server See New Releases Due To Three More Security Vulnerabilities

Written by Michael Larabel in X.Org on 25 October 2023 at 06:35 AM EDT. 45 Comments
The X.Org Server and XWayland saw new point releases today as a result of three more security vulnerabilities being disclosed.

October began with new X.Org security vulnerabilities, two of which dated back to the year 1988. Now as we approach the end of October, three more vulnerabilities have been made public.

CVE-2023-5367 is an out-of-bounds write within the XIChangeDeviceProperty/RRChangeOutputProperty where memcpy() can end up writing into memory outside of the heap-allocated array. CVE-2023-5380 is for a use-after-free within DestroyWindow. The latter vulnerability only affects multi-monitor "Zaphod" mode setups. The third is CVE-2023-5574 and is another use-after-free bug, this time within DamageDestroy and also affecting multi-head Zaphod mode setups.

X.Org Server 21.1.9 and XWayland 23.2.2 were released today with the X.Org patches to address these out-of-bounds and use-after-free errors. These three CVEs come as a result of the Trend Micro Zero Day Initiative where they have also uncovered many other X.Org vulnerabilities over prior years.

More details on today's updates via this X.Org Security Advisory.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week