From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-3109-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 9CCED15806E
	for <garchives@archives.gentoo.org>; Tue, 30 May 2023 03:00:46 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4DA47E0B4B;
	Tue, 30 May 2023 02:59:28 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 58D07E0B18
	for <gentoo-announce@lists.gentoo.org>; Tue, 30 May 2023 02:54:56 +0000 (UTC)
Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165])
	by smtp.gentoo.org (Postfix) with ESMTP id 96DA634116D
	for <gentoo-announce@lists.gentoo.org>; Tue, 30 May 2023 02:54:55 +0000 (UTC)
Received: from [172.18.0.3] (unknown [172.18.0.3])
	by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 82AD5ABF22
	for <gentoo-announce@lists.gentoo.org>; Tue, 30 May 2023 02:54:55 +0000 (UTC)
Subject: [gentoo-announce] [ GLSA 202305-30 ] X.Org X server, XWayland: Multiple Vulnerabilities
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="pgp-sha512"; boundary="===============6827191331652211689=="
From: glsamaker@gentoo.org
To: gentoo-announce@lists.gentoo.org
Reply-To: security@gentoo.org
Date: Tue, 30 May 2023 02:54:55 -0000
Message-ID: <168541529553.7.13366535329174124989@6e8ad1bdc8cb>
X-Archives-Salt: 3b8ea0e9-8b5c-4e72-a0fb-a4199480dc74
X-Archives-Hash: 9468615db136bb886114f2b9b378bbb7

--===============6827191331652211689==
Content-Type: text/plain; charset="utf-8"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202305-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: X.Org X server, XWayland: Multiple Vulnerabilities
     Date: May 30, 2023
     Bugs: #829208, #877459, #885825, #893438, #903547
       ID: 202305-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in the Xorg Server and
XWayland, the worst of which can result in privilege escalation or
remote code execution.

Background
==========

The X Window System is a graphical windowing system based on a
client/server model.

Affected packages
=================

Package               Vulnerable    Unaffected
--------------------  ------------  ------------
x11-base/xorg-server  < 21.1.8      >= 21.1.8
x11-base/xwayland     < 23.1.1      >= 23.1.1

Description
===========

Multiple vulnerabilities have been discovered in X.Org X server,
XWayland. Please review the CVE identifiers referenced below for
details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All X.Org X server users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.8"

All XWayland users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=x11-base/xwayland-23.1.1"

References
==========

[ 1 ] CVE-2021-4008
      https://nvd.nist.gov/vuln/detail/CVE-2021-4008
[ 2 ] CVE-2021-4009
      https://nvd.nist.gov/vuln/detail/CVE-2021-4009
[ 3 ] CVE-2021-4010
      https://nvd.nist.gov/vuln/detail/CVE-2021-4010
[ 4 ] CVE-2021-4011
      https://nvd.nist.gov/vuln/detail/CVE-2021-4011
[ 5 ] CVE-2022-3550
      https://nvd.nist.gov/vuln/detail/CVE-2022-3550
[ 6 ] CVE-2022-3551
      https://nvd.nist.gov/vuln/detail/CVE-2022-3551
[ 7 ] CVE-2022-3553
      https://nvd.nist.gov/vuln/detail/CVE-2022-3553
[ 8 ] CVE-2022-4283
      https://nvd.nist.gov/vuln/detail/CVE-2022-4283
[ 9 ] CVE-2022-46283
      https://nvd.nist.gov/vuln/detail/CVE-2022-46283
[ 10 ] CVE-2022-46340
      https://nvd.nist.gov/vuln/detail/CVE-2022-46340
[ 11 ] CVE-2022-46341
      https://nvd.nist.gov/vuln/detail/CVE-2022-46341
[ 12 ] CVE-2022-46342
      https://nvd.nist.gov/vuln/detail/CVE-2022-46342
[ 13 ] CVE-2022-46343
      https://nvd.nist.gov/vuln/detail/CVE-2022-46343
[ 14 ] CVE-2022-46344
      https://nvd.nist.gov/vuln/detail/CVE-2022-46344
[ 15 ] CVE-2023-0494
      https://nvd.nist.gov/vuln/detail/CVE-2023-0494
[ 16 ] CVE-2023-1393
      https://nvd.nist.gov/vuln/detail/CVE-2023-1393
[ 17 ] ZDI-CAN-19596

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-30

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5
--===============6827191331652211689==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmR1ZX8ACgkQFMQkOaVy
+9kh4Q//Sf2mdd2INp1pdmE5nN1AbShoR0/T7OnrhjBeMy5p2ln0yHhLp6jdF25U
62UaVu7UWH/E3xiREap7+bXZSbjOan3eVnUwJu0IPGyu3pY6/hRSXW8zy+OAbusq
gkzohzZj1tbuoPbFZ+jRQt9xbZhS0SaAljWhwGl87yG/9fDqhR9vaWAyvA9eIMpQ
UL0t9oxx+svmZvShiuDKmqkPaP8Ppj7u3EHe/Pj+lfX3SAJutoByTtzkPrLqD8et
Nq6kZtMeoIQk0MYqv1fgz1xZ1c+4D5TvxQTIp8XWcEJpi8UBexjt2Ff6fkDcqTrJ
p7EMp/VbaVxdJo8Ods0n5H4AYnkOEw91RHSmKN/CSdyvADcbKpatNExCxOqjzaIM
Gr4ENfGyjZW8NWPmc5T007w1Rb5TwAYa0BooBXxNNyIbNV5V2eOQAf3buFBSwEN7
YGoRG2a0LKt0rGgldW4b9RZepPcyPaQCATQnXK3Xhd6dJGqdiv9xtPfsNgsEyEp0
Lcs3s63Q+DR93oic+CTaXVnu2F0DW/WKpBP9X69+2e+MnEwsdVYgwO3RoBCkV17W
YlRIS8gp2TVBcnjX8bw22f1nTbHnt8KJnUor7NHxQFWRZ5MCbm6hNGma/NVsglSp
o9+LWvhUC8drarZUJluRqX5lHrI06PDoabQsZxXpJ+zmW+drl0Y=
=SyCd
-----END PGP SIGNATURE-----

--===============6827191331652211689==--