openEuler 22.03 LTS SP3 update for xorg-x11-server-xwayland
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-6478 CVE-2023-6816 CVE-2024-0408 CVE-2024-31080 CVE-2024-31081 |
| CWE-ID | CWE-190 CWE-122 CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system xorg-x11-server-Xwayland-devel Operating systems & Components / Operating system package or component xorg-x11-server-Xwayland-debugsource Operating systems & Components / Operating system package or component xorg-x11-server-Xwayland-debuginfo Operating systems & Components / Operating system package or component xorg-x11-server-Xwayland Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU84373
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-6478
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to integer overflow when handling RRChangeProviderProperty or RRChangeOutputProperty requests. A local user can send a specially crafted request to the server, trigger an integer overflow and gain access to sensitive information.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP3
xorg-x11-server-Xwayland-devel: before 22.1.2-4
xorg-x11-server-Xwayland-debugsource: before 22.1.2-4
xorg-x11-server-Xwayland-debuginfo: before 22.1.2-4
xorg-x11-server-Xwayland: before 22.1.2-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1557
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU85447
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-6816
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the DeviceFocusEvent and ProcXIQueryPointer functions. A local user can trigger a heap-based buffer overflow and execute arbitrary code on the target system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP3
xorg-x11-server-Xwayland-devel: before 22.1.2-4
xorg-x11-server-Xwayland-debugsource: before 22.1.2-4
xorg-x11-server-Xwayland-debuginfo: before 22.1.2-4
xorg-x11-server-Xwayland: before 22.1.2-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1557
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU85449
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0408
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrectly labeled GLX PBuffers. A local user can perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP3
xorg-x11-server-Xwayland-devel: before 22.1.2-4
xorg-x11-server-Xwayland-debugsource: before 22.1.2-4
xorg-x11-server-Xwayland-debuginfo: before 22.1.2-4
xorg-x11-server-Xwayland: before 22.1.2-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1557
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU88115
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-31080
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary error within the ProcXIGetSelectedEvents() function. A local user can trigger a heap-based buffer overflow and read system memory.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP3
xorg-x11-server-Xwayland-devel: before 22.1.2-4
xorg-x11-server-Xwayland-debugsource: before 22.1.2-4
xorg-x11-server-Xwayland-debuginfo: before 22.1.2-4
xorg-x11-server-Xwayland: before 22.1.2-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1557
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU88116
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-31081
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP3
xorg-x11-server-Xwayland-devel: before 22.1.2-4
xorg-x11-server-Xwayland-debugsource: before 22.1.2-4
xorg-x11-server-Xwayland-debuginfo: before 22.1.2-4
xorg-x11-server-Xwayland: before 22.1.2-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:xorg-x11-server-xwayland:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1557
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
