CVE-2024-0408: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2024-0408) was discovered in the X.Org server affecting the GLX PBuffer code. The vulnerability was disclosed on January 18, 2024, and affects X.Org server versions prior to 21.1.11, XWayland versions prior to 23.2.4, and TigerVNC versions prior to 1.13.1 (NVD).

The vulnerability stems from the GLX PBuffer code not calling the XACE hook when creating the buffer, leaving it unlabeled. When a client issues another request to access that resource (such as with a GetGeometry) or creates another resource that needs to access that buffer (such as a GC), the XSELINUX code attempts to use an object that was never labeled and crashes because the SID is NULL. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability primarily affects system availability. When successfully exploited, it can lead to a crash of the X server when attempting to access unlabeled GLX PBuffer resources (Debian Security).

Fixed versions have been released for affected software: X.Org server version 21.1.11, XWayland version 23.2.4, and TigerVNC version 1.13.1. Users should upgrade to these or later versions. Multiple Linux distributions have released security updates including Red Hat Enterprise Linux, Fedora, and Debian (Red Hat, Debian).