Alpine: multiple xorg-server packages: security update to 21.1.9-r0

high Tenable Self-Hosted Container Security Plugin ID 407934

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect
calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function
in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible
escalation of privileges or denial of service. (CVE-2023-5367)

- A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and
legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if
the pointer is warped from within a window on one screen to the root window of the other screen and if the
original window is destroyed followed by another window being destroyed. (CVE-2023-5380)

- A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific
and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode).
If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during
shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
(CVE-2023-5574)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-5367

https://security.alpinelinux.org/vuln/CVE-2023-5380

https://security.alpinelinux.org/vuln/CVE-2023-5574

Plugin Details

Severity: High

ID: 407934

Version: Revision 1.41

Type: Local

Published: 10/31/2023

Updated: 12/23/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-5367

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/25/2023

Reference Information

CVE: CVE-2023-5367, CVE-2023-5380, CVE-2023-5574