Vulnerability CVE-2023-6816: Information

Description

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-6816
Published: Jan. 18, 2024
Modified: May 22, 2024
Error type identifier: CWE-787

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
xorg-serversisyphus_riscv6421.1.11-alt121.1.13-alt1ALT-PU-2024-2940-1-Fixed
xorg-serverp101.20.14-alt111.20.14-alt13ALT-PU-2024-1183-2338291Fixed
xorg-serverp91.20.8-alt121.20.8-alt12ALT-PU-2024-1181-2338294Fixed
xorg-serverc10f11.20.14-alt111.20.14-alt12ALT-PU-2024-4743-2343922Fixed
xorg-serverc9f21.20.8-alt121.20.8-alt12ALT-PU-2024-3261-2341756Fixed
xorg-xwaylandsisyphus23.2.4-alt124.1.0-alt1ALT-PU-2024-5972-1338286Fixed
xorg-xwaylandp1023.1.1-alt423.1.1-alt5ALT-PU-2024-1182-2338291Fixed
xorg-xwaylandc10f123.1.1-alt423.1.1-alt5ALT-PU-2024-4745-2343922Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2023-6816
  • Third Party Advisory
RHBZ#2257691
  • Issue Tracking
http://www.openwall.com/lists/oss-security/2024/01/18/1
  • Mailing List
  • Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/
  • Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/
  • Mailing List
RHSA-2024:0320
  • Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html
  • Mailing List
RHSA-2024:0557
    RHSA-2024:0558
      RHSA-2024:0597
        RHSA-2024:0607
          RHSA-2024:0614
            RHSA-2024:0621
              https://security.gentoo.org/glsa/202401-30
                RHSA-2024:0617
                  RHSA-2024:0626
                    RHSA-2024:0629
                      https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/
                        https://security.netapp.com/advisory/ntap-20240307-0006/
                          RHSA-2024:2169
                            RHSA-2024:2170
                              RHSA-2024:2996

                                  1. Configuration 1

                                    cpe:2.3:a:x.org:xwayland:*:*:*:*:*:*:*:*
                                    End excliding
                                    23.2.4
                                    cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
                                    End excliding
                                    21.1.11

                                    Configuration 2

                                    cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

                                    Configuration 3

                                    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
                                    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
                                    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

                                    Configuration 4

                                    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
                                VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                Version: v24.5.1
                                Back to top