First published: Wed Jan 10 2024(Updated: )
A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/xorg-server | <21.1.11 | 21.1.11 |
redhat/xwayland | <23.2.4 | 23.2.4 |
debian/xorg-server | 2:1.20.11-1+deb11u13 2:1.20.11-1+deb11u15 2:21.1.7-3+deb12u9 2:21.1.16-1 | |
debian/xwayland | <=2:22.1.9-1 | 2:24.1.6-1 |
X.Org Xserver | <21.1.11 | |
Red Hat Xorg-x11-server-xwayland | <23.2.4 | |
Red Hat Fedora | =39 | |
Red Hat Enterprise Linux Desktop | =7.0 | |
Red Hat Enterprise Linux Server | =7.0 | |
Red Hat Enterprise Linux Workstation | =7.0 | |
Debian Linux | =10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-6816 has been classified with a moderate severity rating.
To fix CVE-2023-6816, upgrade to xorg-server version 21.1.11 or xwayland version 23.2.4 or later.
CVE-2023-6816 affects xorg-server and xwayland on specific versions of Red Hat and Debian systems.
CVE-2023-6816 is a flaw that allows for arbitrary button mapping in the X.Org server.
Yes, patches have been released for the affected versions of xorg-server and xwayland.