X.Org Server 21.1.22 is out today and driven by five new security vulnerabilities being disclosed for the aging codebase. In turn these vulnerabilities also impact XWayland too and thus necessitating the XWayland 24.1.10 release.
The TrendAI Zero Day Initiative uncovered another handful of vulnerabilities within the X.Org Server codebase. These days, most of the X.Org Server releases are motivated for addressing security issues. Some of the issues date back to X11R6.6 while the others were introduced more recently like X.Org Server 1.9.0 and 21.1.3.
The issues include an XKB integer underflow, multiple XKB out-of-bounds reads, XSYNC use-after-free, and an XKB buffer overflow. This round of disclosures mostly with the impact of being able to read uninitialized memory.
See today’s security bulletin for more information on these latest vulnerabilities. X.Org Server 21.1.22 and XWayland 24.1.10 can now be downloaded for those concerned about these issues.
It was 13 years ago that a security researcher noted the X.Org security disaster and “it’s worse than it looks” and all these years later new security issues continue to come to light in the aging and little-maintained codebase.
