[ANNOUNCE] xwayland 24.1.6
This release contains the fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html * CVE-2025-26594 * CVE-2025-26595 * CVE-2025-26596 * CVE-2025-26597 * CVE-2025-26598 * CVE-2025-26599 * CVE-2025-26600 * CVE-2025-26601 Additionally, it reverts a recent Xkb change to fix an issue with gamescope. Olivier Fourdan (15): Revert "xwayland: Don't run key behaviors and actions" test: Fix xsync test Cursor: Refuse to free the root cursor xkb: Fix buffer overflow in XkbVModMaskText() xkb: Fix computation of XkbSizeKeySyms xkb: Fix buffer overflow in XkbChangeTypesOfKey() Xi: Fix barrier device search composite: Handle failure to redirect in compRedirectWindow() composite: initialize border clip even when pixmap alloc fails dix: Dequeue pending events on frozen device on removal sync: Do not let sync objects uninitialized sync: Check values before applying changes sync: Do not fail SyncAddTriggerToSyncObject() sync: Apply changes last in SyncChangeAlarmAttributes() Bump version to 24.1.6 Peter Hutterer (1): dix: keep a ref to the rootCursor git tag: xwayland-24.1.6 https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.6.tar.xz SHA256: 737e612ca36bbdf415a911644eb7592cf9389846847b47fa46dc705bd754d2d7 xwayland-24.1.6.tar.xz SHA512: b6dcc87f5c4d880cb23216518171a704c2a501803ac2efd9d01760895d755a617cd82313c6516f27a888b0581c64d74e3f8db5c238e1ae0d13da6cc1a547c02f xwayland-24.1.6.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.6.tar.xz.sig OpenPGP_0x14706DBE1E4B4540.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[ANNOUNCE] xorg-server 21.1.16
This release contains the fix for the issue reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html * CVE-2025-26594 * CVE-2025-26595 * CVE-2025-26596 * CVE-2025-26597 * CVE-2025-26598 * CVE-2025-26599 * CVE-2025-26600 * CVE-2025-26601 Additionally, it also contains several other fixes, see below: Alan Coopersmith (7): os: NextDPMSTimeout: mark intentional fallthroughs in switch xfree86: avoid memory leak on realloc failure Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL render: avoid NULL pointer dereference if PictureFindVisual returns NULL dix: fix button offset when generating DeviceButtonStateNotify events dix: limit checks to MAX_VALUATORS when generating Xi events modesetting: avoid memory leak when ms_present_check_unflip() returns FALSE Daniel Kahn Gillmor (1): autotools: enable static use of Nettle for SHA1 Doug Brown (1): dri2: Protect against dri2ClientPrivate assertion failures Olivier Fourdan (18): glamor: Fix possible double-free os: Fix NULL pointer dereference xkb: Always use MAP_LENGTH keymap size os/connection: Make sure partial is initialized test: Fix xsync test Cursor: Refuse to free the root cursor xkb: Fix buffer overflow in XkbVModMaskText() xkb: Fix computation of XkbSizeKeySyms xkb: Fix buffer overflow in XkbChangeTypesOfKey() Xi: Fix barrier device search composite: Handle failure to redirect in compRedirectWindow() composite: initialize border clip even when pixmap alloc fails dix: Dequeue pending events on frozen device on removal sync: Do not let sync objects uninitialized sync: Check values before applying changes sync: Do not fail SyncAddTriggerToSyncObject() sync: Apply changes last in SyncChangeAlarmAttributes() xserver 21.1.16 Patrik Jakobsson (1): modesetting: Fix dirty updates for sw rotation Peter Hutterer (3): dix: don't push the XKB state to a non-existing master keyboard Xi: when removing a master search for a disabled paired device dix: keep a ref to the rootCursor Tj (1): xfree86: fbdevhw: fix pci detection on recent Linux git tag: xorg-server-21.1.16 https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.gz SHA256: 59fa52b63f6f8747ee2c4716decb29ced249c4c574e2a18c96b7d3b1420f7fd9 xorg-server-21.1.16.tar.gz SHA512: d0cd176e4c7273b6870999a3d008ed282fd5609acb2e0919c16447af3a5b2228d8592424388a8ace67acf216cdfae3a2d52f7a7ba81f6071467c61d57f32f314 xorg-server-21.1.16.tar.gz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.gz.sig https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.xz SHA256: b14a116d2d805debc5b5b2aac505a279e69b217dae2fae2dfcb62400471a9970 xorg-server-21.1.16.tar.xz SHA512: 38fd4232a293a497d13f8b57e85e84cf6a531453a7d8d5de1a77d67ceaf8714d5770951a8a21f1b3f519e83be1fc0926dce269846e75a8b11aa1062dd507f67d xorg-server-21.1.16.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.xz.sig OpenPGP_0x14706DBE1E4B4540.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
X.Org Security Advisory: multiple security issues X.Org X server and Xwayland
== X.Org Security Advisory: February 25, 2025 Issues in X.Org X server prior to 21.1.16 and Xwayland prior to 24.1.6 == Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.16 and xwayland-24.1.6. 1) CVE-2025-26594: Use-after-free of the root cursor Introduced in: Unknown - Prior to X11R6.6 Xorg baseline Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The root cursor is referenced in the xserver as a global variable. If a client manages to free the root cursor, the internal reference points to freed memory and causes a use-after-free. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 2) CVE-2025-26595: Buffer overflow in XkbVModMaskText() Introduced in: Prior to X11R6.1 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code however fails to check the bounds of the buffer correctly and would copy the data regardless of the size, which may lead to a buffer overflow. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms() Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), which may lead to a heap based buffer overflow. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey() Introduced in: X11R6.1 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative If XkbChangeTypesOfKey() is called with 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size. 5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() Introduced in: xorg-server-1.14.0 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The function GetBarrierDevice() searches for the pointer device based on its device id and returns the matching value, or supposedly NULL if no match was found. However the code will return the last element of the list if no matching device id was found which can lead to out of bounds memory access. 6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() Introduced in: Xorg 6.8.0. Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without the validation of the window tree marked just before, which leaves the validate data partly initialized, and the use of an uninitialized pointer later. 7) CVE-2025-26600: Use-after-free in PlayReleasedEvents() Introduced in: X11R5 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative When a device is removed while still frozen, the events queued for that device remain while the device itself is freed and replaying the events will cause a use after free. 8) CVE-2025-26601: Use-after-free in SyncInitTrigger() Introduced in: X11R6 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Found by: Jan-Niklas Sohn working with Trend Micro Zero D
