CVE-2022-2320: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-2320) was discovered in the Xorg-x11-server, specifically within the handling of ProcXkbSetDeviceInfo requests. The vulnerability was disclosed on July 12, 2022, affecting the X.Org Server version 21.1.0. This security flaw stems from improper validation of user-supplied data, which can lead to memory access beyond allocated buffer boundaries (ZDI Advisory, X.Org Announcement).

The vulnerability is classified with a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue involves incorrect naming of functions, where XkbSetDeviceInfo ended up as the checker function and XkbSetDeviceInfoCheck as the setter function. This resulted in the setter function being called before proper validation, potentially leading to out-of-bounds memory access. The vulnerability was introduced in commit c06e27b2f6fd9f7b9f827623a48876a225264132 (X.Org Announcement, NVD).

When successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of root. This is particularly critical for systems where the X server is running with privileged access and for SSH X forwarding sessions (X.Org Announcement, ZDI Advisory).

The vulnerability was fixed in xorg-server version 21.1.4 through a patch that correctly names the functions and moves the length checks to the checker function. The fix was implemented in commit dd8caf39e9e15d8f302e54045dd08d8ebf1025dc, with an additional required commit f1070c01d616c5f21f939d5ebc533738779451ac for backporting the security fixes (X.Org Announcement, Gentoo Advisory).