Multiple CVE fixes
Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.11 and xwayland-23.2.4.
-
CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer.
-
CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons.
-
CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation.
-
CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices.
-
CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client.
-
CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer.