Source: xwayland Version: 2:24.1.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for xwayland. CVE-2025-26594[0]: | A use-after-free flaw was found in X.Org and Xwayland. The root | cursor is referenced in the X server as a global variable. If a | client frees the root cursor, the internal reference points to freed | memory and causes a use-after-free. CVE-2025-26595[1]: | A buffer overflow flaw was found in X.Org and Xwayland. The code in | XkbVModMaskText() allocates a fixed-sized buffer on the stack and | copies the names of the virtual modifiers to that buffer. The code | fails to check the bounds of the buffer and would copy the data | regardless of the size. CVE-2025-26596[2]: | A heap overflow flaw was found in X.Org and Xwayland. The | computation of the length in XkbSizeKeySyms() differs from what is | written in XkbWriteKeySyms(), which may lead to a heap-based buffer | overflow. CVE-2025-26597[3]: | A buffer overflow flaw was found in X.Org and Xwayland. If | XkbChangeTypesOfKey() is called with a 0 group, it will resize the | key symbols table to 0 but leave the key actions unchanged. If the | same function is later called with a non-zero value of groups, this | will cause a buffer overflow because the key actions are of the | wrong size. CVE-2025-26598[4]: | An out-of-bounds write flaw was found in X.Org and Xwayland. The | function GetBarrierDevice() searches for the pointer device based on | its device ID and returns the matching value, or supposedly NULL, if | no match was found. However, the code will return the last element | of the list if no matching device ID is found, which can lead to | out-of-bounds memory access. CVE-2025-26599[5]: | An access to an uninitialized pointer flaw was found in X.Org and | Xwayland. The function compCheckRedirect() may fail if it cannot | allocate the backing pixmap. In that case, compRedirectWindow() will | return a BadAlloc error without validating the window tree marked | just before, which leaves the validated data partly initialized and | the use of an uninitialized pointer later. CVE-2025-26600[6]: | A use-after-free flaw was found in X.Org and Xwayland. When a device | is removed while still frozen, the events queued for that device | remain while the device is freed. Replaying the events will cause a | use-after-free. CVE-2025-26601[7]: | A use-after-free flaw was found in X.Org and Xwayland. When changing | an alarm, the values of the change mask are evaluated one after the | other, changing the trigger values as requested, and eventually, | SyncInitTrigger() is called. If one of the changes triggers an | error, the function will return early, not adding the new sync | object, possibly causing a use-after-free when the alarm eventually | triggers. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-26594 https://www.cve.org/CVERecord?id=CVE-2025-26594 [1] https://security-tracker.debian.org/tracker/CVE-2025-26595 https://www.cve.org/CVERecord?id=CVE-2025-26595 [2] https://security-tracker.debian.org/tracker/CVE-2025-26596 https://www.cve.org/CVERecord?id=CVE-2025-26596 [3] https://security-tracker.debian.org/tracker/CVE-2025-26597 https://www.cve.org/CVERecord?id=CVE-2025-26597 [4] https://security-tracker.debian.org/tracker/CVE-2025-26598 https://www.cve.org/CVERecord?id=CVE-2025-26598 [5] https://security-tracker.debian.org/tracker/CVE-2025-26599 https://www.cve.org/CVERecord?id=CVE-2025-26599 [6] https://security-tracker.debian.org/tracker/CVE-2025-26600 https://www.cve.org/CVERecord?id=CVE-2025-26600 [7] https://security-tracker.debian.org/tracker/CVE-2025-26601 https://www.cve.org/CVERecord?id=CVE-2025-26601 [8] https://lists.x.org/archives/xorg-announce/2025-February/003584.html Regards, Salvatore
