xorg-server -- Multiple vulnerabilities

The X.Org project reports:

• CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org server: Out-of-bounds memory write in XKB button actions

  A device has XKB button actions for each button on the device. When a logical device switch happens (e.g. moving from a touchpad to a mouse), the server re-calculates the information available on the respective master device (typically the Virtual Core Pointer). This re-calculation only allocated enough memory for a single XKB action rather instead of enough for the newly active physical device's number of button. As a result, querying or changing the XKB button actions results in out-of-bounds memory reads and writes.

  This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

• CVE-2023-6478/ZDI-CAN-22561: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty

  This fixes an OOB read and the resulting information disclosure.

  Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check.

  The server then proceeded with reading at least stuff->nUnits bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB.

[source]