Ubuntu fixes X.Org X Server flaws, one critical

The Ubuntu Security Team recently issued updates to address multiple vulnerabilities in the X.Org X Server, a component for graphical user interfaces on Linux systems, affecting Ubuntu versions 20.04 LTS, 22.04 LTS, 23.04, and 23.10. The vulnerabilities, if exploited, could enable attackers to crash the server, steal sensitive data, or execute arbitrary code on the affected systems:

• CVE-2023-6816, (CVSS score 9.8) involves improper memory handling by the X Server during the processing of DeviceFocusEvent and ProcXIQueryPointer APIs, which could lead to severe implications like crashing the X Server, information theft, or arbitrary code execution.
• CVE-2024-0229 (CVSS score 7.8) is an issue with the X Server’s handling of reattaching to a different master device. This vulnerability could be exploited to crash the X Server, thereby causing a denial of service or enabling the execution of arbitrary code.
• CVE-2024-0408 (CVSS score 5.5) and CVE-2024-0409 (CVSS score 7.8), pertain to the incorrect labeling of GLX PBuffers and handling of cursor code when used with SELinux, respectively. These vulnerabilities could lead to crashes and denial of service.
• CVE-2024-21885 (CVSS score 7.8) and CVE-2024-21886 (CVSS score 7.8), involve the X Server's memory handling mechanisms in specific functions, posing risks of crashes or arbitrary code execution.

Users are urged to update their systems by applying the provided patches for their respective Ubuntu versions. This process involves updating the `xorg-server` and `xwayland` packages to the latest versions through standard system update mechanisms, followed by a system reboot to ensure all changes take effect.