Hi, On Thu, Jan 18, 2024 at 02:30:08PM +0100, Salvatore Bonaccorso wrote: > Source: xorg-server > Version: 2:21.1.11-1 > Severity: important > Tags: upstream > X-Debbugs-Cc: car...@debian.org, jcris...@debian.org, a...@debian.org, > t...@security.debian.org > > While preparing the update for xorg-server for bookworm an autopkgtest > regression in uqm was seen. The same is shown with the 2:21.1.11-1 > upload to unstable: > > https://ci.debian.net/packages/u/uqm/testing/amd64/41866714/ > > Julien Cristau was able to reproduce the leak independly from uqm: > > Xvfb :10 & sleep 2; DISPLAY=:10 xdpyinfo >/dev/null > > resulting in > > 1 XSELINUXs still allocated at reset > SCREEN: 0 objects of 304 bytes = 0 total bytes 0 private allocs > DEVICE: 0 objects of 88 bytes = 0 total bytes 0 private allocs > CLIENT: 0 objects of 144 bytes = 0 total bytes 0 private allocs > WINDOW: 0 objects of 48 bytes = 0 total bytes 0 private allocs > PIXMAP: 0 objects of 16 bytes = 0 total bytes 0 private allocs > GC: 0 objects of 16 bytes = 0 total bytes 0 private allocs > CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs > TOTAL: 1 objects, 8 bytes, 0 allocs > 1 CURSORs still allocated at reset > CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs > TOTAL: 1 objects, 8 bytes, 0 allocs > 1 CURSOR_BITSs still allocated at reset > TOTAL: 0 objects, 0 bytes, 0 allocs > > As per upstream commit bisection it seems that the first bad commit is > https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 > which is related for the CVE-2024-21886 fix.
There is a fix for that upstream (the issue did not affect the master branch which contains the following commit, which is not in the 21.1.y): https://gitlab.freedesktop.org/xorg/xserver/-/issues/1623#note_2248117 https://gitlab.freedesktop.org/xorg/xserver/-/commit/1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Proposed merge request for unstable: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/merge_requests/9 Regards, Salvatore
