Trend Micro has discovered two new security vulnerabilities in X.Org Server that allow out-of-bounds access that could lead to local privilege escalation on systems with X.Org Server running privileges, and remote code execution for SSH X forwarding sessions.
The two vulnerabilities, numbered CVE-2022-2319 and CVE-2022-2320 and disclosed yesterday, are related to the X.Org Server's Xkb keyboard extension not validating input correctly, potentially leading to out-of-bounds memory writes. Hopefully in 2022, you won't rely on running xorg-server as root.
According to reports, the fixes for these XKB vulnerabilities have been completed in the X.Org Server's Git repository, and X.Org Server 21.1.4 , which contains the vulnerability fixes, is now available. In addition to these security fixes, there are tons of XQuartz fixes from Apple, GCC 12 build fixes in the rendering code, possible crash fixes in the PRESENT code, and various other minor bug fixes.