Here's another reminder that checking regularly for updates is always a good thing, because there's new releases available for both the X.Org X and Xwayland due to multiple reported security issues.
First up, here's the actual listed issues reported and fixed:
- CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer.
- CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons.
- CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation.
- CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices.
- CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client.
- CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer.
This security advisory went public on the X.Org mailing list this morning.
The issues are present in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4, both of which were just announced and released. The xorg-server 21.1.11 release additionally "also contains a fix for XRandR to allow for multiple virtual monitors on a physical display" plus xwayland 23.2.4 additionally "also contains several other fixes for glamor, libEI support, and FreeBSD".