X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities

Written by Michael Larabel in X.Org on 12 July 2022 at 09:00 AM EDT. 83 Comments
Getting things started for this "Patch Tuesday" are the disclosure of two new X.Org Server vulnerabilities.

These issues affecting out-of-bounds accesses with the X.Org Server can lead to local privilege elevation on systems where the X.Org Server is running privileged and remote code execution for SSH X forwarding sessions.

CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server's Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren't relying on your xorg-server running as root.

Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro's Zero Day Initiative.

More details in today's X.Org Security Advisory.

Update: X.Org Server 21.1.4 is now available. In addition to these security fixes there is also a large number of XQuartz fixes from Apple, a GCC 12 build fix in the render code, a possible crash fix in the PRESENT code, and various other small fixes.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week