[Git][xorg-team/xserver/xorg-server][debian-unstable] 39 commits: modesetting: Fix dirty updates for sw rotation

[Emilio Pozuelo Monfort (@pochu)]

Emilio Pozuelo Monfort pushed to branch debian-unstable at X Strike Force / 
xserver / xorg-server


Commits:
3bda7d11 by Patrik Jakobsson at 2025-02-05T15:02:23+01:00
modesetting: Fix dirty updates for sw rotation

Rotation is broken for all drm drivers not providing hardware rotation
support. Drivers that give direct access to vram and not needing dirty
updates still work but only by accident. The problem is caused by
modesetting not sending the correct fb_id to drmModeDirtyFB() and
passing the damage rects in the rotated state and not as the crtc
expects them. This patch takes care of both problems.

Signed-off-by: Patrik Jakobsson 
(cherry picked from commit db9e9d45e8ba73510f11eb9e534c176102f6623e)

Part-of: 

- - - - -
743f66d6 by Olivier Fourdan at 2025-02-05T15:02:23+01:00
glamor: Fix possible double-free

If glamor_link_glsl_prog() fails, we may jump to the failed code path
which frees the variable vs_prog_string and fs_prog_string.

But those variables were already freed just before, so in that case we
end up freeing the memory twice.

Simply move the free at the end of the success code path so we are sure
to free the values only once, either in the successful of failed code
paths.

Fixes: 2906ee5e4 - glamor: Fix leak in glamor_build_program()
Signed-off-by: Olivier Fourdan 
(cherry picked from commit 34ea020344ef5f2ea8ffce78c7e1abd6436b21ec)

Part-of: 

- - - - -
de2e2e8d by Peter Hutterer at 2025-02-05T15:02:23+01:00
dix: don't push the XKB state to a non-existing master keyboard

If our master keyboard is disabled, GetMaster() returns NULL and
we segfault in XkbPushLockedStateToSlaves().

Fixes 45fb3a934dc0db51584aba37c2f9d73deff9191d
Fixes #1611

(cherry picked from commit 9b983fecf999b9f50946973f2379a5ce00491cad)

Part-of: 

- - - - -
f241e4f8 by Peter Hutterer at 2025-02-05T15:02:23+01:00
Xi: when removing a master search for a disabled paired device

If either the master pointer or keyboard was disabled, the respective
GetMaster() call returns NULL, causing a segfault later accessing the
deviceid.

Fix this by looking in the off_devices list for any master
device of the type we're looking for. Master devices lose the pairing
when disabled (on enabling a keyboard we simply pair with the first
available unpaired pointer).

And for readability, split the device we get from the protocol request
into a new "dev" variable instead of re-using ptr.

Fixes #1611

(cherry picked from commit e7c876ab0b0daa546a23d4ef82537fdf8fd88e04)

Part-of: 

- - - - -
ac48573a by Olivier Fourdan at 2025-02-05T15:02:23+01:00
os: Fix NULL pointer dereference

RemoveHost() can be called from DisableLocalHost() with a NULL client,
but doesn't actually check whether the given client pointer is valid on
error and assigns the error value unconditionally, leading to a possible
NULL pointer dereference and a crash of the Xserver.

To avoid the issue, simply check whether the client pointer is not NULL
prior to assign the errorValue.

Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1752
See-also: https://bugzilla.redhat.com/2313799
Signed-off-by: Olivier Fourdan 
(cherry picked from commit 57a446c0f98693bd2e0263e91213344d870f4e03)

Part-of: 

- - - - -
e38c23e5 by Tj at 2025-02-05T15:02:23+01:00
xfree86: fbdevhw: fix pci detection on recent Linux

Linux kernel v6.9 has changed the symlink to point to the parent device. This
breaks fbdev_open() detection logic. Change it to use the subsystem symlink
instead which will remain stable.

Kernel v6.8:

[14.067] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0
[14.067] (II) fbdev_open() 
buf=../../devices/platform/vesa-framebuffer.0/graphics/fb0

Kernel v6.9:

[15.609] (II) fbdev_open() sysfs_path=/sys/class/graphics/fb0
[15.609] (II) fbdev_open() 
buf=../../devices/pci:00/:00:01.0/vesa-framebuffer.0/graphics/fb0

Originally found in automated Debian ISO QA testing [0] and confirmed in Linux 
[1].

Tested on kernels v6.9.7 and v6.8.12

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075713
[1] 
https://lore.kernel.org/lkml/lLyvPFC_APGHNfyGNHRpQy5izBikkaTPOpHooZIT3fFAoJPquSI31ZMueA99XTdr8ysir3X7O7IMdc6za-0m79vr_claeparHhoRouVgHOI=@proton.me/

Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1714
Signed-off-by: Tj 
Reviewed-by: Thomas Zimmermann 
Reviewed-by: Enrico Weigelt, metux IT consult 
(cherry picked from commit 728b54528d37ffa27b07c9b181c5ed8d2d359379)

Part-of: 

- - - - -
cbc2c654 by Alan Coopersmith at 2025-02-05T15:02:23+01:00
os: NextDPMSTimeout: mark intentional fallthroughs in switch

The comment at the top of the

[Git][xorg-team/xserver/xorg-server] Pushed new tag xorg-server-2_21.1.16-1

[Emilio Pozuelo Monfort (@pochu)]

Emilio Pozuelo Monfort pushed new tag xorg-server-2_21.1.16-1 at X Strike Force 
/ xserver / xorg-server

-- 
View it on GitLab: 
https://salsa.debian.org/xorg-team/xserver/xorg-server/-/tree/xorg-server-2_21.1.16-1
You're receiving this email because of your account on salsa.debian.org.

Processing of xorg-server_21.1.16-1_source.changes

[Debian FTP Masters]

xorg-server_21.1.16-1_source.changes uploaded successfully to localhost
along with the files:
  xorg-server_21.1.16-1.dsc
  xorg-server_21.1.16.orig.tar.gz
  xorg-server_21.1.16-1.diff.gz
  xorg-server_21.1.16-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

xwayland_24.1.6-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 26 Feb 2025 10:22:59 +0100
Source: xwayland
Architecture: source
Version: 2:24.1.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force 
Changed-By: Emilio Pozuelo Monfort 
Closes: 1098907
Changes:
 xwayland (2:24.1.6-1) unstable; urgency=medium
 .
   * New upstream release. Fixes:
 - CVE-2025-26594: use-after-free of the root cursor
 - CVE-2025-26595: buffer overflow in XkbVModMaskText
 - CVE-2025-26596: heap overflow in XkbWriteKeySyms
 - CVE-2025-26597: buffer overflow in XkbChangeTypesOfKey
 - CVE-2025-26598: out-of-bounds write in CreatePointerBarrierClient
 - CVE-2025-26599: use of uninitialized pointer in compRedirectWindow
 - CVE-2025-26600: use-after-free in PlayReleasedEvents
 - CVE-2025-26601: use-after-free in SyncInitTrigger
 (Closes: #1098907).
Checksums-Sha1:
 b50ad66e2119298104e4caa0f368159871c61b57 2278 xwayland_24.1.6-1.dsc
 8425074a39f44831dae96a9db41ad31f824c2eca 1302600 xwayland_24.1.6.orig.tar.xz
 b98edc196a9e053e6797e1b837c33cd06b606458 34952 xwayland_24.1.6-1.debian.tar.xz
 f9146c1c337734b7af0a7cee41e8ba703a000a85 9216 
xwayland_24.1.6-1_source.buildinfo
Checksums-Sha256:
 25f96591e3c3fe674ab830ef0557141658fb14cf91f56defb33ac3420435e368 2278 
xwayland_24.1.6-1.dsc
 737e612ca36bbdf415a911644eb7592cf9389846847b47fa46dc705bd754d2d7 1302600 
xwayland_24.1.6.orig.tar.xz
 fcfc0c634b7059c2e9337da2330c6b5c20b084009494d144c34bac9715ef 34952 
xwayland_24.1.6-1.debian.tar.xz
 f2077a6cb89fbdd88cdc922eade5eccb9df07092b368fe1280ad0f3a7fdc0600 9216 
xwayland_24.1.6-1_source.buildinfo
Files:
 d2be53f92046e2123f816573e3325e80 2278 x11 optional xwayland_24.1.6-1.dsc
 78067c218323fe2a496ca5f2145fe7ab 1302600 x11 optional 
xwayland_24.1.6.orig.tar.xz
 4f98a58befad72ddbaba428972feca2b 34952 x11 optional 
xwayland_24.1.6-1.debian.tar.xz
 08d02b2306ff001c9c68639c01dad006 9216 x11 optional 
xwayland_24.1.6-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAme+3YsACgkQnUbEiOQ2
gwIDUQ//cNllfT14VbDweytv1kJJ8Dy/wm3/ghJSU2fsontCrUqQu1vgeLwmcadd
D/UbYetD6jJIInpXDTfoKq/vaMUKW9YHoCjoHPQKyZeGcjLeV3ng1U5MqKHPbajv
fh/WBhCV/075z21lycuxpSL70tc7VzLZW/W2KSAWYbQYHg3ARAh+j2IDWrbnM2mm
ko8mURYwSSJjMM6HGF8/xWL+ctq2+JHoaV9PVIYn7DaOev6Nt+hHvYtd92tA1fQT
kh0fSoRXE4vlqWyK1sw8UIonHlcsuHbVyZzq16+dDXFBeI8pNHLlrddCT7ISrUso
YTx/tzQFVjyUMY9ijaLnMY059eumkYW1PHJT6+/VhD5plEHKUThYWdXHgjLpCcAU
oLyvrE6h1sHt5Dx6aUhhgO1B0tTywpE7gQqaNddTfOvrMf+lEVfhJkiSi2cVXWL/
OYUuw3iInY2TFGr1DPzgefX5E/dufcz8t5i+cMHQjoExDK64KaGCcjwEpsy1Ri2A
Q6D9iuH/vhDf/FXP8ZcKOcGLZpQ1Ui4JMQkirOT0Fl4YRQULMw0xSMiz3Qj9BgSw
WNJDHudP0gvxMYSWDkYjisQSxBXoSknmQntl1FbAKJZ9Tl9CRUm5JuJ+Ykre5gun
jd3yXYNDjJO+/T7uIq5YAIsrTM6FJNvJlyQ+jeK9bdXo0ZZdpVM=
=RbOs
-END PGP SIGNATURE-



pgpZ2NrCgJYVT.pgp
Description: PGP signature

xorg-server_21.1.16-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 26 Feb 2025 10:22:45 +0100
Source: xorg-server
Architecture: source
Version: 2:21.1.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force 
Changed-By: Emilio Pozuelo Monfort 
Closes: 1098906
Changes:
 xorg-server (2:21.1.16-1) unstable; urgency=medium
 .
   * New upstream release. Fixes:
 - CVE-2025-26594: use-after-free of the root cursor
 - CVE-2025-26595: buffer overflow in XkbVModMaskText
 - CVE-2025-26596: heap overflow in XkbWriteKeySyms
 - CVE-2025-26597: buffer overflow in XkbChangeTypesOfKey
 - CVE-2025-26598: out-of-bounds write in CreatePointerBarrierClient
 - CVE-2025-26599: use of uninitialized pointer in compRedirectWindow
 - CVE-2025-26600: use-after-free in PlayReleasedEvents
 - CVE-2025-26601: use-after-free in SyncInitTrigger
 (Closes: #1098906).
   * debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff,
 debian/patches/xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch:
 - Dropped, included upstream.
Checksums-Sha1:
 a7c38e11e10c5113288bb67f27b317a3ad01755c 4041 xorg-server_21.1.16-1.dsc
 a12d7fb7ef065cc2e2877f7b8e7bf054b41c0c44 8954623 
xorg-server_21.1.16.orig.tar.gz
 73a3ec36474b9f3094ba2877e7d279772d43f19f 178358 xorg-server_21.1.16-1.diff.gz
 526c755197dfee18d49fda212a055c9850a35328 9655 
xorg-server_21.1.16-1_source.buildinfo
Checksums-Sha256:
 b821ee77fba22d7d68c556c5eab73817d3ff37c00f08cb746cf43980b4973909 4041 
xorg-server_21.1.16-1.dsc
 59fa52b63f6f8747ee2c4716decb29ced249c4c574e2a18c96b7d3b1420f7fd9 8954623 
xorg-server_21.1.16.orig.tar.gz
 b2a59bb0707e7687001fb1d44661934195297a00f8418e1fda60dc9d8989d66f 178358 
xorg-server_21.1.16-1.diff.gz
 09fe9ebbba49cc0aeab585d5e6d6c936c1b955f01bb7315808a52c5b34870a61 9655 
xorg-server_21.1.16-1_source.buildinfo
Files:
 8a34329d5d91a3f8936945d184bc3be4 4041 x11 optional xorg-server_21.1.16-1.dsc
 4c220da8d47467a2cb555c437466fd81 8954623 x11 optional 
xorg-server_21.1.16.orig.tar.gz
 30aecc7ea11cefc592c7d06722806dc6 178358 x11 optional 
xorg-server_21.1.16-1.diff.gz
 674204199fca3641ca09fa5661e1ed7b 9655 x11 optional 
xorg-server_21.1.16-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAme+3XIACgkQnUbEiOQ2
gwKlphAApD3UfANoP/4O6y7Gvjz4kKr+wVMfBwqhxhmRtZNVL4lsQjKuNkqGeGz/
NXqz4BiIy+ZsALpwjlmurO6lGLNHD7JlTdHfGIzh+BoXFRUtHWA0qEMS+KeYfJM2
/u8cOVhwIjSBYU/8c58tXznQcNSHWhGPvyT1UZy6bVyChMg/H/5iAaevDUgfZArJ
PCJ9FNQ8ql68LlvNC1hyXZQHOyNkmuyZWx1rBvVVxROL68gnF7iJMY/yM0vrvhkr
uWuPMUq6IR31QUxQ6/MMnAdyOoQmHXZDzcRp5vt9klIizIGCkKqYJZHtc5IvpG1K
1MtMzom0xGvQfJ8FWCX+6Uq6+UdcTTd+3aXqDa/8C+hP77CNFWcQhiJVtuJA56Br
YJMVM9rVMGX+Y26Zqhreu1Z+dJW+k+N1RqrAyP8pG4Lr1HTjl2uecDGy5oXwYWDl
h7tiIAbs3bPdobVEzVp1fcNnmJ9GJ0QUIJEq5hWCKM/L2zcKwZ6ozs0rvR7UB7OJ
3SwGCmNcZttJZRWSXY5+Sq+bbBMMbc2vvyZojUVA8fiY8a1SH8wRcmowUNJ6S298
a4T+3CKpHBUs3SHQtb6euffXqtwqdswwW6WqwrNqrs7c6aMLpCWOOof86bFV+9qI
fjLEUCuEEYlW0fy6aFAKCNqfcGsVhRyVPkjSZQUAY2D9GBjYY0A=
=yHtE
-END PGP SIGNATURE-



pgpvp2qJ6LAgq.pgp
Description: PGP signature

[Git][xorg-team/wayland/xwayland] Pushed new tag xwayland-2_24.1.6-1

[Emilio Pozuelo Monfort (@pochu)]

Emilio Pozuelo Monfort pushed new tag xwayland-2_24.1.6-1 at X Strike Force / 
wayland / xwayland

-- 
View it on GitLab: 
https://salsa.debian.org/xorg-team/wayland/xwayland/-/tree/xwayland-2_24.1.6-1
You're receiving this email because of your account on salsa.debian.org.

Bug#1098906: marked as done (xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601)

[Debian Bug Tracking System]

Your message dated Wed, 26 Feb 2025 09:39:08 +
with message-id 
and subject line Bug#1098906: fixed in xorg-server 2:21.1.16-1
has caused the Debian Bug report #1098906,
regarding xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 
CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1098906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: xorg-server
Version: 2:21.1.15-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 2:21.1.7-3
Control: fixed -1 2:21.1.7-3+deb12u9

Hi,

The following vulnerabilities were published for xorg-server.

CVE-2025-26594[0]:
| A use-after-free flaw was found in X.Org and Xwayland. The root
| cursor is referenced in the X server as a global variable. If a
| client frees the root cursor, the internal reference points to freed
| memory and causes a use-after-free.


CVE-2025-26595[1]:
| A buffer overflow flaw was found in X.Org and Xwayland. The code in
| XkbVModMaskText() allocates a fixed-sized buffer on the stack and
| copies the names of the virtual modifiers to that buffer. The code
| fails to check the bounds of the buffer and would copy the data
| regardless of the size.


CVE-2025-26596[2]:
| A heap overflow flaw was found in X.Org and Xwayland. The
| computation of the length in XkbSizeKeySyms() differs from what is
| written in XkbWriteKeySyms(), which may lead to a heap-based buffer
| overflow.


CVE-2025-26597[3]:
| A buffer overflow flaw was found in X.Org and Xwayland. If
| XkbChangeTypesOfKey() is called with a 0 group, it will resize the
| key symbols table to 0 but leave the key actions unchanged. If the
| same function is later called with a non-zero value of groups, this
| will cause a buffer overflow because the key actions are of the
| wrong size.


CVE-2025-26598[4]:
| An out-of-bounds write flaw was found in X.Org and Xwayland. The
| function GetBarrierDevice() searches for the pointer device based on
| its device ID and returns the matching value, or supposedly NULL, if
| no match was found. However, the code will return the last element
| of the list if no matching device ID is found, which can lead to
| out-of-bounds memory access.


CVE-2025-26599[5]:
| An access to an uninitialized pointer flaw was found in X.Org and
| Xwayland. The function compCheckRedirect() may fail if it cannot
| allocate the backing pixmap. In that case, compRedirectWindow() will
| return a BadAlloc error without validating the window tree marked
| just before, which leaves the validated data partly initialized and
| the use of an uninitialized pointer later.


CVE-2025-26600[6]:
| A use-after-free flaw was found in X.Org and Xwayland. When a device
| is removed while still frozen, the events queued for that device
| remain while the device is freed. Replaying the events will cause a
| use-after-free.


CVE-2025-26601[7]:
| A use-after-free flaw was found in X.Org and Xwayland. When changing
| an alarm, the values of the change mask are evaluated one after the
| other, changing the trigger values as requested, and eventually,
| SyncInitTrigger() is called. If one of the changes triggers an
| error, the function will return early, not adding the new sync
| object, possibly causing a use-after-free when the alarm eventually
| triggers.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26594
https://www.cve.org/CVERecord?id=CVE-2025-26594
[1] https://security-tracker.debian.org/tracker/CVE-2025-26595
https://www.cve.org/CVERecord?id=CVE-2025-26595
[2] https://security-tracker.debian.org/tracker/CVE-2025-26596
https://www.cve.org/CVERecord?id=CVE-2025-26596
[3] https://security-tracker.debian.org/tracker/CVE-2025-26597
https://www.cve.org/CVERecord?id=CVE-2025-26597
[4] https://security-tracker.debian.org/tracker/CVE-2025-26598
https://www.cve.org/CVERecord?id=CVE-2025-26598
[5] https://security-tracker.debian.org/tracker/CVE-2025-26599
https://www.cve.org/CVERecord?id=CVE-2025-26599
[6] https://security-tracker.debian.org/tracker/CVE-2025-26600
https://www.cve.org/CVERecord?id=CVE-2025-26600
[7] https://security-tracker.debian.org/tracker/CVE-2025-26601
https://www.cve.org/CVERecord?id=CVE-2025-26601
[8] https://lists.x.org/archives/xorg-announce/202

Bug#1098907: marked as done (xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601)

[Debian Bug Tracking System]

Your message dated Wed, 26 Feb 2025 09:39:22 +
with message-id 
and subject line Bug#1098907: fixed in xwayland 2:24.1.6-1
has caused the Debian Bug report #1098907,
regarding xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 
CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1098907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: xwayland
Version: 2:24.1.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerabilities were published for xwayland.

CVE-2025-26594[0]:
| A use-after-free flaw was found in X.Org and Xwayland. The root
| cursor is referenced in the X server as a global variable. If a
| client frees the root cursor, the internal reference points to freed
| memory and causes a use-after-free.


CVE-2025-26595[1]:
| A buffer overflow flaw was found in X.Org and Xwayland. The code in
| XkbVModMaskText() allocates a fixed-sized buffer on the stack and
| copies the names of the virtual modifiers to that buffer. The code
| fails to check the bounds of the buffer and would copy the data
| regardless of the size.


CVE-2025-26596[2]:
| A heap overflow flaw was found in X.Org and Xwayland. The
| computation of the length in XkbSizeKeySyms() differs from what is
| written in XkbWriteKeySyms(), which may lead to a heap-based buffer
| overflow.


CVE-2025-26597[3]:
| A buffer overflow flaw was found in X.Org and Xwayland. If
| XkbChangeTypesOfKey() is called with a 0 group, it will resize the
| key symbols table to 0 but leave the key actions unchanged. If the
| same function is later called with a non-zero value of groups, this
| will cause a buffer overflow because the key actions are of the
| wrong size.


CVE-2025-26598[4]:
| An out-of-bounds write flaw was found in X.Org and Xwayland. The
| function GetBarrierDevice() searches for the pointer device based on
| its device ID and returns the matching value, or supposedly NULL, if
| no match was found. However, the code will return the last element
| of the list if no matching device ID is found, which can lead to
| out-of-bounds memory access.


CVE-2025-26599[5]:
| An access to an uninitialized pointer flaw was found in X.Org and
| Xwayland. The function compCheckRedirect() may fail if it cannot
| allocate the backing pixmap. In that case, compRedirectWindow() will
| return a BadAlloc error without validating the window tree marked
| just before, which leaves the validated data partly initialized and
| the use of an uninitialized pointer later.


CVE-2025-26600[6]:
| A use-after-free flaw was found in X.Org and Xwayland. When a device
| is removed while still frozen, the events queued for that device
| remain while the device is freed. Replaying the events will cause a
| use-after-free.


CVE-2025-26601[7]:
| A use-after-free flaw was found in X.Org and Xwayland. When changing
| an alarm, the values of the change mask are evaluated one after the
| other, changing the trigger values as requested, and eventually,
| SyncInitTrigger() is called. If one of the changes triggers an
| error, the function will return early, not adding the new sync
| object, possibly causing a use-after-free when the alarm eventually
| triggers.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26594
https://www.cve.org/CVERecord?id=CVE-2025-26594
[1] https://security-tracker.debian.org/tracker/CVE-2025-26595
https://www.cve.org/CVERecord?id=CVE-2025-26595
[2] https://security-tracker.debian.org/tracker/CVE-2025-26596
https://www.cve.org/CVERecord?id=CVE-2025-26596
[3] https://security-tracker.debian.org/tracker/CVE-2025-26597
https://www.cve.org/CVERecord?id=CVE-2025-26597
[4] https://security-tracker.debian.org/tracker/CVE-2025-26598
https://www.cve.org/CVERecord?id=CVE-2025-26598
[5] https://security-tracker.debian.org/tracker/CVE-2025-26599
https://www.cve.org/CVERecord?id=CVE-2025-26599
[6] https://security-tracker.debian.org/tracker/CVE-2025-26600
https://www.cve.org/CVERecord?id=CVE-2025-26600
[7] https://security-tracker.debian.org/tracker/CVE-2025-26601
https://www.cve.org/CVERecord?id=CVE-2025-26601
[8] https://lists.x.org/archives/xorg-announce/2025-February/003584.html

Regards,
Salvatore
--- End Message ---
--- Begin Mes

Processing of xwayland_24.1.6-1_source.changes

[Debian FTP Masters]

xwayland_24.1.6-1_source.changes uploaded successfully to localhost
along with the files:
  xwayland_24.1.6-1.dsc
  xwayland_24.1.6.orig.tar.xz
  xwayland_24.1.6-1.debian.tar.xz
  xwayland_24.1.6-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)