Source: xorg-server Version: 2:21.1.9-1 Severity: important Tags: security upstream Forwarded: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:21.1.7-3 Control: found -1 2:21.1.7-3+deb12u2 Control: found -1 2:1.20.11-1 Control: found -1 2:1.20.11-1+deb11u8
Hi, The following vulnerability was published for xorg-server. Known already and this is the CVE which was last-minute backed out of the last release. Filling the downstream bug to have a tracking of it for us in Debian. CVE-2023-5574[0]: | A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue | occurs in Xvfb with a very specific and legacy configuration (a | multi-screen setup with multiple protocol screens, also known as | Zaphod mode). If the pointer is warped from a screen 1 to a screen | 0, a use-after-free issue may be triggered during shutdown or reset | of the Xvfb server, allowing for possible escalation of privileges | or denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-5574 https://www.cve.org/CVERecord?id=CVE-2023-5574 [1] https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 [2] https://lists.x.org/archives/xorg-announce/2023-October/003430.html Regards, Salvatore