CVE-2024-0408

MEDIUM

X.Org server - Info Disclosure

Title source: llm

Description

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

References (13)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2024:0320

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2169

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2170

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2995

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2996

[Third Party Advisory] https://access.redhat.com/security/cve/CVE-2024-0408

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2257689

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC/

[Third Party Advisory] https://security.gentoo.org/glsa/202401-30

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240307-0006/

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 4.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-158

Status published

Affected Products (15)

tigervnc/tigervnc < 1.13.1

x.org/x_server < 21.1.11

x.org/xwayland < 23.2.4

fedoraproject/fedora

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux_desktop

redhat/enterprise_linux_for_ibm_z_systems

redhat/enterprise_linux_for_power_big_endian

redhat/enterprise_linux_for_power_little_endian

redhat/enterprise_linux_for_scientific_computing

redhat/enterprise_linux_server

redhat/enterprise_linux_workstation

Timeline

Published Jan 18, 2024

Tracked Since Feb 18, 2026