USN-6587-5: X.Org X Server vulnerabilities

13 March 2024

Several security issues were fixed in X.Org X Server.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

USN-6587-1 fixed several vulnerabilities in X.Org. This update provides
the corresponding update for Ubuntu 14.04 LTS.

Original advisory details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the RRChangeOutputProperty and
RRChangeProviderProperty APIs. An attacker could possibly use this issue to
cause the X Server to crash, or obtain sensitive information.
(CVE-2023-6478)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An
attacker could possibly use this issue to cause the X Server to crash,
obtain sensitive information, or execute arbitrary code. (CVE-2023-6816)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
reattaching to a different master device. An attacker could use this issue
to cause the X Server to crash, leading to a denial of service, or possibly
execute arbitrary code. (CVE-2024-0229)

Olivier Fourdan and Donn Seeley discovered that the X.Org X Server
incorrectly labeled GLX PBuffers when used with SELinux. An attacker could
use this issue to cause the X Server to crash, leading to a denial of
service. (CVE-2024-0408)

Olivier Fourdan discovered that the X.Org X Server incorrectly handled
the curser code when used with SELinux. An attacker could use this issue to
cause the X Server to crash, leading to a denial of service.
(CVE-2024-0409)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the XISendDeviceHierarchyEvent API. An attacker
could possibly use this issue to cause the X Server to crash, or execute
arbitrary code. (CVE-2024-21885)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
devices being disabled. An attacker could possibly use this issue to cause
the X Server to crash, or execute arbitrary code. (CVE-2024-21886)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04

After a standard system update you need to reboot your computer to make all
the necessary changes.

Related notices

  • USN-6587-1: xorg-server, xserver-xephyr, xvfb, xorg-server-source, xwayland, xserver-xorg-core, xdmx-tools, xserver-xorg-legacy, xnest, xserver-common, xdmx, xserver-xorg-dev
  • USN-6587-2: xorg-server, xserver-xephyr, xvfb, xorg-server-source, xwayland, xserver-xorg-core, xdmx-tools, xserver-xorg-legacy, xnest, xserver-xorg-xmir, xmir, xdmx, xserver-xorg-dev, xserver-common
  • USN-6555-1: xorg-server, xserver-xephyr, xvfb, xorg-server-source, xwayland, xserver-xorg-core, xdmx-tools, xserver-xorg-legacy, xnest, xserver-common, xdmx, xserver-xorg-dev
  • USN-6555-2: xorg-server, xserver-xephyr, xvfb, xorg-server-source, xwayland, xserver-xorg-core, xdmx-tools, xserver-xorg-legacy, xnest, xserver-xorg-xmir, xmir, xdmx, xserver-xorg-dev, xserver-common