CVE-2023-5574

Note

Priority reason:
Only affects legacy multiscreen setups with Zaphod
xorg server is actually the xorg-server package
the xorg package only contains docs
xwayland package contains parts of xorg-server
issue does not affected xwayland
This is ZDI-CAN-21213
Due to last minute regressions, the final patches have not yet
been released for this issue.
This issue only affects Xvfb and requires a legacy multi-screen
setup with multiple protocol screens ("Zaphod").

Package	Release	Status
xorg Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage
xorg-hwe-16.04 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Not vulnerable (code not present)
xorg-hwe-18.04 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist
xorg-server Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	trusty	Needs triage
	upstream	Needs triage
	xenial	Needs triage
	Patches: upstream: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189
xorg-server-hwe-16.04 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
xorg-server-hwe-18.04 Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
xorg-server-lts-utopic Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Does not exist
xorg-server-lts-vivid Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Does not exist
xorg-server-lts-wily Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Does not exist
xorg-server-lts-xenial Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Does not exist
xwayland Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Not vulnerable
	lunar	Not vulnerable
	mantic	Not vulnerable
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist

Parameter	Value
Base score	7.0
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-5574

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading