X.org X11 server vulnerability CVE-2024-9632

Rated 7.8, this vulnerability is already being addressed by the big software distributions and trickling in for Qubes templates.

When do we expect the dom0/sys-gui update?

2 Likes

Does this impact Qubes OS in any meaningful way?

2 Likes

I don’t know how to quantify (or to determine) “meaningful” in this context. :slight_smile:
Hence the question.

1 Like

local privilege escalation in distributions where the X.org server is run with root privileges

it’s been a while since we stopped running X as root. “we” refers to operating systems / distributions in general.

edit: although, it seems X is running as root on Qubes OS >_>

2 Likes

Exactly… :grimacing:

[user@dom0 ~]$ ps -efww | grep [b]in/X
root        4116    4103  1 09:11 tty1     00:02:57 /usr/bin/X -core -noreset :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt1 -novtswitch
[user@dom0 ~]$
1 Like

Applications in VMs cannot talk directly to X server in dom0, especially they cannot craft a request that would trigger this bug. So, Qubes OS as a whole is not affected by this issue.
X server instances in individual VMs may be affected (it would allow application inside a VM to compromise its own X server only). This doesn’t give attacker much, especially since X server in VM is running as normal user, so doesn’t even allow root escalation. Distributions used in VMs will ship fix for this according to their update policy and mechanisms.

4 Likes

Thanks @marmarek !

2 Likes