ISN 2023-26: X.org Vulnerabilities

Updated 27 November 2023 (Update Instructions)

First published 9 November 2023

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been discovered in the X.org display server, which is used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

The X.org server has been found to have three local vulnerabilities. CVE-2023-5367 is an out-of-bounds write flaw in xorg-x11-server that could be used to crash the server or escalate the attacker’s privileges. It is rated as high. CVE-2023-5574 tracks a vulnerability in Xvfb, also rated as high, that could have the same effect. Finally, CVE-2023-5380 is a use-after-free flaw in the xorg-x11-server that could crash the server in a very specific scenario (medium).

Update Instructions

• OS 12: Update to OS 12 base system app version 12.2.2.
• OS 11: Update to OS 11.09.150 (available 6 December).

References

• Org Security Advisory: https://lists.x.org/archives/xorg-announce/2023-October/003430.html
• CVE-2023-5367: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5367
• CVE-2023-5574: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5574
• CVE-2023-5380: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-5380