Fluid Attacks Database

Description

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	xorg-server	>=0 <2:21.1.16-1.1	2:21.1.16-1.1
debian 11	xorg-server	=2:1.20.11-1 \|\| =2:1.20.11-1+deb11u1 \|\| =2:1.20.11-1+deb11u10 \|\| =2:1.20.11-1+deb11u11 \|\| =2:1.20.11-1+deb11u12 \|\| =2:1.20.11-1+deb11u13 \|\| =2:1.20.11-1+deb11u14 \|\| =2:1.20.11-1+deb11u15 \|\| =2:1.20.11-1+deb11u16 \|\| =2:1.20.11-1+deb11u17 \|\| =2:1.20.11-1+deb11u2 \|\| =2:1.20.11-1+deb11u3 \|\| =2:1.20.11-1+deb11u4 \|\| =2:1.20.11-1+deb11u5 \|\| =2:1.20.11-1+deb11u6 \|\| =2:1.20.11-1+deb11u7 \|\| =2:1.20.11-1+deb11u8 \|\| =2:1.20.11-1+deb11u9 \|\| =2:1.20.13-1 \|\| =2:1.20.13-2 \|\| =2:1.20.13-3 \|\| =2:1.20.14-1 \|\| =2:21.1.1-1 \|\| =2:21.1.1-2 \|\| =2:21.1.10-1 \|\| =2:21.1.11-1 \|\| =2:21.1.11-2 \|\| =2:21.1.11-3 \|\| =2:21.1.12-1 \|\| =2:21.1.13-1 \|\| =2:21.1.13-2 \|\| =2:21.1.13-3 \|\| =2:21.1.13-3.1 \|\| =2:21.1.14-1 \|\| =2:21.1.14-2 \|\| =2:21.1.15-1 \|\| =2:21.1.15-2 \|\| =2:21.1.15-3 \|\| =2:21.1.16-1 \|\| =2:21.1.16-1.1 \|\| =2:21.1.16-1.2 \|\| =2:21.1.16-1.3 \|\| =2:21.1.18-1 \|\| =2:21.1.18-2 \|\| =2:21.1.20-1 \|\| =2:21.1.21-1 \|\| =2:21.1.22-1 \|\| =2:21.1.3-1 \|\| =2:21.1.3-2 \|\| =2:21.1.4-1 \|\| =2:21.1.4-2 \|\| =2:21.1.4-3 \|\| =2:21.1.5-1 \|\| =2:21.1.6-1 \|\| =2:21.1.7-1 \|\| =2:21.1.7-2 \|\| =2:21.1.7-3 \|\| =2:21.1.8-1 \|\| =2:21.1.9-1 \|\| =2:21.1.9-1+hurd.1	-
debian 12	xorg-server	=2:21.1.10-1 \|\| =2:21.1.11-1 \|\| =2:21.1.11-2 \|\| =2:21.1.11-3 \|\| =2:21.1.12-1 \|\| =2:21.1.13-1 \|\| =2:21.1.13-2 \|\| =2:21.1.13-3 \|\| =2:21.1.13-3.1 \|\| =2:21.1.14-1 \|\| =2:21.1.14-2 \|\| =2:21.1.15-1 \|\| =2:21.1.15-2 \|\| =2:21.1.15-3 \|\| =2:21.1.16-1 \|\| =2:21.1.16-1.1 \|\| =2:21.1.16-1.2 \|\| =2:21.1.16-1.3 \|\| =2:21.1.18-1 \|\| =2:21.1.18-2 \|\| =2:21.1.20-1 \|\| =2:21.1.21-1 \|\| =2:21.1.22-1 \|\| =2:21.1.7-3 \|\| =2:21.1.7-3+deb12u1 \|\| =2:21.1.7-3+deb12u10 \|\| =2:21.1.7-3+deb12u11 \|\| =2:21.1.7-3+deb12u2 \|\| =2:21.1.7-3+deb12u3 \|\| =2:21.1.7-3+deb12u4 \|\| =2:21.1.7-3+deb12u5 \|\| =2:21.1.7-3+deb12u6 \|\| =2:21.1.7-3+deb12u7 \|\| =2:21.1.7-3+deb12u8 \|\| =2:21.1.7-3+deb12u9 \|\| =2:21.1.8-1 \|\| =2:21.1.9-1 \|\| =2:21.1.9-1+hurd.1	-
debian 14	xorg-server	>=0 <2:21.1.16-1.1	2:21.1.16-1.1

Aliases

1. CVE-2022-497372. NVD-2022-497373. OSV-DEBIAN-2022-497374. OSV-2022-497375. SECURITY-TRACKER-CVE-2022-49737

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.