CVSROOT: /cvs
Module name: xenocara
Changes by: matth...@cvs.openbsd.org 2024/01/16 05:34:23
Modified files:
xserver/Xi : exevents.c xichangehierarchy.c xiquerypointer.c
xserver/dix : devices.c enterleave.c
xserver/glx : glxcmds.c
xserver/hw/kdrive/ephyr: ephyrcursor.c
Log message:
Multiple issues have been found in the X server and Xwayland
implementations:
1) CVE-2023-6816 can be triggered by passing an invalid array index to
DeviceFocusEvent or ProcXIQueryPointer.
2) CVE-2024-0229 can be triggered if a device has both a button and a
key class and zero buttons.
3) CVE-2024-21885 can be triggered if a device with a given ID was
removed and a new device with the same ID added both in the same
operation.
4) CVE-2024-21886 can be triggered by disabling a master device with
disabled slave devices.
5) CVE-2024-0409 can be triggered by enabling SELinux
xserver_object_manager and running a client.
6) CVE-2024-0408 can be triggered by enabling SELinux
xserver_object_manager and creating a GLX PBuffer.
