Corrective releases of X.Org Server 21.1.23 and DDX component (Device-Dependent X) xwayland 24.1.12 have been published, providing the launch of X.Org Server for organizing the execution of X11 applications in Wayland-based environments. These new versions address 9 vulnerabilities that have been identified. Some of these vulnerabilities have the potential to be exploited for privilege escalation on systems where the X server is running as root, as well as for remote code execution in configurations using X11 session redirection via SSH for access.
Vulnerabilities Fixed (CVE IDs not assigned):
- Buffer overflow when processing alternative font names. This issue arises from differing restrictions on the size of font names between the libXfont2 library and the X server.
- Memory accesses after freeing it in functions miSyncDestroyFence(), FreeCounter(), and SyncChangeCounter() due to errors in updating reference counters.
- Buffer overflow when handling certain types of keys in XKB caused by an incorrect calculation of the character code table size.
/Reports, release notes, official announcements.