CVE-2023-6377: 
NixOS vulnerability analysis and mitigation

CVE-2023-6377 is a vulnerability discovered in xorg-server affecting versions prior to 21.1.10 and xwayland prior to 23.2.3. The vulnerability was discovered by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative and was publicly disclosed on December 13, 2023 (Xorg Announce).

The vulnerability occurs when a logical device switch happens (e.g., moving from a touchpad to a mouse). During this switch, the server re-calculates information for the master device but only allocates memory for a single XKB action instead of enough for the newly active physical device's number of buttons. This results in out-of-bounds memory reads and writes when querying or changing XKB button actions (Xorg Announce). The vulnerability has been assigned a CVSS score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability may allow local privilege escalation if the server is running as root, or possible remote code execution in cases where X11 forwarding is involved. The vulnerability can lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been patched in xorg-server version 21.1.10 and xwayland version 23.2.3. The fix involves properly allocating memory for the correct number of button actions (Xorg Announce). Users should upgrade to these or later versions. As a workaround, users can ensure no untrusted clients can access the running X implementation (Gentoo Security).