From 9aedd73e9c81a45318df9f54292efd876759a86c Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 10 Jun 2026 08:57:40 -0700 Subject: [PATCH] [AUTOPATCHER-CORE] Upgrade xorg-x11-server-Xwayland to 24.1.12 for CVE-2026-50256, CVE-2026-50257, CVE-2026-50258, CVE-2026-50259, CVE-2026-50260, CVE-2026-50261, CVE-2026-50262 and CVE-2026-50263 (#17658) (cherry picked from commit b2228599ddc96fe21f4a610dba9d16b0cbf8cf19) --- .../CVE-2025-49175.patch | 89 ----- .../CVE-2025-49177.patch | 39 --- .../CVE-2025-49178.patch | 47 --- .../CVE-2025-49179.patch | 41 --- .../CVE-2025-49180.patch | 42 --- .../CVE-2025-62229.patch | 87 ----- .../CVE-2025-62230.patch | 148 -------- .../CVE-2025-62231.patch | 49 --- .../CVE-2026-33999.patch | 47 --- .../CVE-2026-34001.patch | 102 ------ .../CVE-2026-34003.patch | 331 ------------------ .../xorg-x11-server-Xwayland.signatures.json | 2 +- .../xorg-x11-server-Xwayland.spec | 18 +- cgmanifest.json | 4 +- 14 files changed, 8 insertions(+), 1038 deletions(-) delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-62229.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-62230.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2025-62231.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2026-33999.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2026-34001.patch delete mode 100644 SPECS/xorg-x11-server-Xwayland/CVE-2026-34003.patch diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch deleted file mode 100644 index 2d2b34430da..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 0885e0b26225c90534642fe911632ec0779eebee Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 28 Mar 2025 09:43:52 +0100 -Subject: [PATCH] render: Avoid 0 or less animated cursors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee.patch - -Animated cursors use a series of cursors that the client can set. - -By default, the Xserver assumes at least one cursor is specified -while a client may actually pass no cursor at all. - -That causes an out-of-bound read creating the animated cursor and a -crash of the Xserver: - - | Invalid read of size 8 - | at 0x5323F4: AnimCursorCreate (animcur.c:325) - | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd - | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) - | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | - | Invalid read of size 2 - | at 0x5323F7: AnimCursorCreate (animcur.c:325) - | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | Address 0x8 is not stack'd, malloc'd or (recently) free'd - -To avoid the issue, check the number of cursors specified and return a -BadValue error in both the proc handler (early) and the animated cursor -creation (as this is a public function) if there is 0 or less cursor. - -CVE-2025-49175 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: José Expósito -Part-of: ---- - render/animcur.c | 3 +++ - render/render.c | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/render/animcur.c b/render/animcur.c -index f906cd8130..1194cee7e7 100644 ---- a/render/animcur.c -+++ b/render/animcur.c -@@ -305,6 +305,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, - int rc = BadAlloc, i; - AnimCurPtr ac; - -+ if (ncursor <= 0) -+ return BadValue; -+ - for (i = 0; i < screenInfo.numScreens; i++) - if (!GetAnimCurScreen(screenInfo.screens[i])) - return BadImplementation; -diff --git a/render/render.c b/render/render.c -index 113f6e0c5a..fe9f03c8c8 100644 ---- a/render/render.c -+++ b/render/render.c -@@ -1799,6 +1799,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) - ncursor = - (client->req_len - - (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; -+ if (ncursor <= 0) -+ return BadValue; - cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); - if (!cursors) - return BadAlloc; --- -GitLab - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch deleted file mode 100644 index 612557a77a2..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch +++ /dev/null @@ -1,39 +0,0 @@ -From fec15c9463b629600306a25fb01801353b6a9bf6 Mon Sep 17 00:00:00 2001 -From: Kevin Lockwood -Date: Mon, 23 Jun 2025 15:22:44 -0700 -Subject: [PATCH] [Medium] Patch xorg-x11-server-Xwayland for CVE-2025-49177 - -Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af.patch - -Part-of: - -Only edit to the upstream patch was because the patcher could not find -where to position a hunk ---- - xfixes/disconnect.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c -index e412942..b3529af 100644 ---- a/xfixes/disconnect.c -+++ b/xfixes/disconnect.c -@@ -69,6 +69,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) - ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); - - REQUEST(xXFixesSetClientDisconnectModeReq); -+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); - - pDisconnect->disconnect_mode = stuff->disconnect_mode; - -@@ -82,7 +83,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) - - swaps(&stuff->length); - -- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); -+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); - - swapl(&stuff->disconnect_mode); - --- -2.34.1 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch deleted file mode 100644 index af08641dde4..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 28 Apr 2025 10:46:03 +0200 -Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer - -Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2.patch - -When reading requests from the clients, the input buffer might be shared -and used between different clients. - -If a given client sends a full request with non-zero bytes to ignore, -the bytes to ignore may still be non-zero even though the request is -full, in which case the buffer could be shared with another client who's -request will not be processed because of those bytes to ignore, leading -to a possible hang of the other client request. - -To avoid the issue, make sure we have zero bytes to ignore left in the -input request when sharing the input buffer with another client. - -CVE-2025-49178 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -Part-of: ---- - os/io.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/os/io.c b/os/io.c -index 3e39c10e6f..e7b76b9cea 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client) - */ - - gotnow -= needed; -- if (!gotnow) -+ if (!gotnow && !oci->ignoreBytes) - AvailableInput = oc; - if (move_header) { - if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { --- -GitLab - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch deleted file mode 100644 index ab398fe5612..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch +++ /dev/null @@ -1,41 +0,0 @@ -From dcf8726020de572e28ae4f9b0b40be2a6ea27a2c Mon Sep 17 00:00:00 2001 -From: Kevin Lockwood -Date: Mon, 23 Jun 2025 14:21:55 -0700 -Subject: [PATCH] Patch xorg-x11-server-Xwayland for CVE-2025-49179 - -Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4.patch - -Part-of: ---- - record/record.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/record/record.c b/record/record.c -index ca9254c..311ec1a 100644 ---- a/record/record.c -+++ b/record/record.c -@@ -46,6 +46,7 @@ and Jim Haggerty of Metheus. - #include "swaprep.h" - #include "inputstr.h" - #include "scrnintstr.h" -+#include "include/opaque.h" - - #include - #include -@@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, - int i; - XID recordingClient; - -+ /* LimitClients is 2048 at max, way less that MAXINT */ -+ if (stuff->nClients > LimitClients) -+ return BadValue; -+ -+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) -+ return BadValue; -+ - if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != - 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) - return BadLength; --- -2.34.1 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch deleted file mode 100644 index 8c63a282c93..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Tue, 20 May 2025 15:18:19 +0200 -Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() - -Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6.patch - -A client might send a request causing an integer overflow when computing -the total size to allocate in RRChangeProviderProperty(). - -To avoid the issue, check that total length in bytes won't exceed the -maximum integer value. - -CVE-2025-49180 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -Part-of: ---- - randr/rrproviderproperty.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c -index 69f66ed278..0c3dcd1bc5 100644 ---- a/randr/rrproviderproperty.c -+++ b/randr/rrproviderproperty.c -@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, - - if (mode == PropModeReplace || len > 0) { - void *new_data = NULL, *old_data = NULL; -- -+ if (total_len > MAXINT / size_in_bytes) -+ return BadValue; - total_size = total_len * size_in_bytes; - new_value.data = (void *) malloc(total_size); - if (!new_value.data && total_size) { --- -GitLab - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62229.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-62229.patch deleted file mode 100644 index 698d1efb241..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62229.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 288a119572319575757c5d77bd8ccf0141b385cf Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 2 Jul 2025 09:46:22 +0200 -Subject: [PATCH] present: Fix use-after-free in present_create_notifies() - -Using the Present extension, if an error occurs while processing and -adding the notifications after presenting a pixmap, the function -present_create_notifies() will clean up and remove the notifications -it added. - -However, there are two different code paths that can lead to an error -creating the notify, one being before the notify is being added to the -list, and another one after the notify is added. - -When the error occurs before it's been added, it removes the elements up -to the last added element, instead of the actual number of elements -which were added. - -As a result, in case of error, as with an invalid window for example, it -leaves a dangling pointer to the last element, leading to a use after -free case later: - - | Invalid write of size 8 - | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) - | by 0x534A56: present_destroy_window (present_screen.c:107) - | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) - | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) - | by 0x51EAC4: damageDestroyWindow (damage.c:1592) - | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) - | by 0x4EAC55: FreeWindowResources (window.c:1023) - | by 0x4EAF59: DeleteWindow (window.c:1091) - | by 0x4DE59A: doFreeResource (resource.c:890) - | by 0x4DEFB2: FreeClientResources (resource.c:1156) - | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) - | by 0x5DCC78: ClientReady (connection.c:603) - | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd - | at 0x4841E43: free (vg_replace_malloc.c:989) - | by 0x5363DD: present_destroy_notifies (present_notify.c:111) - | by 0x53638D: present_create_notifies (present_notify.c:100) - | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) - | by 0x536A7D: proc_present_pixmap (present_request.c:189) - | by 0x536FA9: proc_present_dispatch (present_request.c:337) - | by 0x4A1E4E: Dispatch (dispatch.c:561) - | by 0x4B00F1: dix_main (main.c:284) - | by 0x42879D: main (stubmain.c:34) - | Block was alloc'd at - | at 0x48463F3: calloc (vg_replace_malloc.c:1675) - | by 0x5362A1: present_create_notifies (present_notify.c:81) - | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) - | by 0x536A7D: proc_present_pixmap (present_request.c:189) - | by 0x536FA9: proc_present_dispatch (present_request.c:337) - | by 0x4A1E4E: Dispatch (dispatch.c:561) - | by 0x4B00F1: dix_main (main.c:284) - | by 0x42879D: main (stubmain.c:34) - -To fix the issue, count and remove the actual number of notify elements -added in case of error. - -CVE-2025-62229, ZDI-CAN-27238 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1.patch ---- - present/present_notify.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/present/present_notify.c b/present/present_notify.c -index 4459549..00b3b68 100644 ---- a/present/present_notify.c -+++ b/present/present_notify.c -@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no - if (status != Success) - goto bail; - -- added = i; -+ added++; - } - return Success; - --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62230.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-62230.patch deleted file mode 100644 index fffd41e5083..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62230.patch +++ /dev/null @@ -1,148 +0,0 @@ -From bcdc1467253d444c8ace779fefae94b1c3f29b54 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 10 Sep 2025 15:58:57 +0200 -Subject: [PATCH 1/2] xkb: Free the XKB resource when freeing XkbInterest -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -XkbRemoveResourceClient() would free the XkbInterest data associated -with the device, but not the resource associated with it. - -As a result, when the client terminates, the resource delete function -gets called and accesses already freed memory: - - | Invalid read of size 8 - | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) - | by 0x5B3391: XkbClientGone (xkb.c:7094) - | by 0x4DF138: doFreeResource (resource.c:890) - | by 0x4DFB50: FreeClientResources (resource.c:1156) - | by 0x4A9A59: CloseDownClient (dispatch.c:3550) - | by 0x5E0A53: ClientReady (connection.c:601) - | by 0x5E4FEF: ospoll_wait (ospoll.c:657) - | by 0x5DC834: WaitForSomething (WaitFor.c:206) - | by 0x4A1BA5: Dispatch (dispatch.c:491) - | by 0x4B0070: dix_main (main.c:277) - | by 0x4285E7: main (stubmain.c:34) - | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd - | at 0x4842E43: free (vg_replace_malloc.c:989) - | by 0x49C1A6: CloseDevice (devices.c:1067) - | by 0x49C522: CloseOneDevice (devices.c:1193) - | by 0x49C6E4: RemoveDevice (devices.c:1244) - | by 0x5873D4: remove_master (xichangehierarchy.c:348) - | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) - | by 0x579BF1: ProcIDispatch (extinit.c:390) - | by 0x4A1D85: Dispatch (dispatch.c:551) - | by 0x4B0070: dix_main (main.c:277) - | by 0x4285E7: main (stubmain.c:34) - | Block was alloc'd at - | at 0x48473F3: calloc (vg_replace_malloc.c:1675) - | by 0x49A118: AddInputDevice (devices.c:262) - | by 0x4A0E58: AllocDevicePair (devices.c:2846) - | by 0x5866EE: add_master (xichangehierarchy.c:153) - | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) - | by 0x579BF1: ProcIDispatch (extinit.c:390) - | by 0x4A1D85: Dispatch (dispatch.c:551) - | by 0x4B0070: dix_main (main.c:277) - | by 0x4285E7: main (stubmain.c:34) - -To avoid that issue, make sure to free the resources when freeing the -device XkbInterest data. - -CVE-2025-62230, ZDI-CAN-27545 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Michel Dänzer -Part-of: ---- - xkb/xkbEvents.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c -index f8f65d4..7c669c9 100644 ---- a/xkb/xkbEvents.c -+++ b/xkb/xkbEvents.c -@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) - autoCtrls = interest->autoCtrls; - autoValues = interest->autoCtrlValues; - client = interest->client; -+ FreeResource(interest->resource, RT_XKBCLIENT); - free(interest); - found = TRUE; - } -@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) - autoCtrls = victim->autoCtrls; - autoValues = victim->autoCtrlValues; - client = victim->client; -+ FreeResource(victim->resource, RT_XKBCLIENT); - free(victim); - found = TRUE; - } --- -2.45.4 - - -From f6a70756f4b556a1a84792096b61bf1021ac8438 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 10 Sep 2025 15:55:06 +0200 -Subject: [PATCH 2/2] xkb: Make the RT_XKBCLIENT resource private -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently, the resource in only available to the xkb.c source file. - -In preparation for the next commit, to be able to free the resources -from XkbRemoveResourceClient(), make that variable private instead. - -This is related to: - -CVE-2025-62230, ZDI-CAN-27545 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Michel Dänzer -(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f) - -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/ofourdan/xserver/-/commit/10c94238bdad17c11707e0bdaaa3a9cd54c504be.patch https://gitlab.freedesktop.org/ofourdan/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175.patch ---- - include/xkbsrv.h | 2 ++ - xkb/xkb.c | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/include/xkbsrv.h b/include/xkbsrv.h -index bd74785..d801cd4 100644 ---- a/include/xkbsrv.h -+++ b/include/xkbsrv.h -@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. - #include "inputstr.h" - #include "events.h" - -+extern RESTYPE RT_XKBCLIENT; -+ - typedef struct _XkbInterest { - DeviceIntPtr dev; - ClientPtr client; -diff --git a/xkb/xkb.c b/xkb/xkb.c -index ac154e2..6c102af 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode; - CARD32 xkbDebugFlags = 0; - static CARD32 xkbDebugCtrls = 0; - --static RESTYPE RT_XKBCLIENT; -+RESTYPE RT_XKBCLIENT = 0; - - /***====================================================================***/ - --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62231.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-62231.patch deleted file mode 100644 index d16b6164dcc..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2025-62231.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4312de85985485587f2a75685928e30c242ae5d0 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 10 Sep 2025 16:30:29 +0200 -Subject: [PATCH] xkb: Prevent overflow in XkbSetCompatMap() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The XkbCompatMap structure stores its "num_si" and "size_si" fields -using an unsigned short. - -However, the function _XkbSetCompatMap() will store the sum of the -input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and -"size_si" without first checking if the sum overflows the maximum -unsigned short value, leading to a possible overflow. - -To avoid the issue, check whether the sum does not exceed the maximum -unsigned short value, or return a "BadValue" error otherwise. - -CVE-2025-62231, ZDI-CAN-27560 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Michel Dänzer -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49.patch ---- - xkb/xkb.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 6c102af..a77fe7f 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, - XkbSymInterpretPtr sym; - unsigned int skipped = 0; - -+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) -+ return BadValue; - if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { - compat->num_si = compat->size_si = req->firstSI + req->nSI; - compat->sym_interpret = reallocarray(compat->sym_interpret, --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2026-33999.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2026-33999.patch deleted file mode 100644 index 49d2465c151..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2026-33999.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 97740b8ddc485dc2de51db39d45648ac20b6ce16 Mon Sep 17 00:00:00 2001 -From: Peter Harris -Date: Thu, 15 Jan 2026 15:54:09 -0500 -Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap - -If the "compat" buffer has previously been truncated, there will be -unused space in the buffer. The code uses this space, but does not -update the number of valid entries in the buffer. - -In the best case, this leads to the new compat entries being ignored. In the -worst case, if there are any "skipped" compat entries, the number of -valid entries will be corrupted, potentially leading to a buffer read -overrun when processing a future request. - -Set the number of used "compat" entries when re-using previously -allocated space in the buffer. - -CVE-2026-33999, ZDI-CAN-28593 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with TrendAI Zero Day Initiative - -Signed-off-by: Peter Harris -Acked-by: Olivier Fourdan -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b.patch ---- - xkb/xkb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index a77fe7f..6c24941 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -3002,7 +3002,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, - return BadAlloc; - } - } -- else if (req->truncateSI) { -+ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { - compat->num_si = req->firstSI + req->nSI; - } - sym = &compat->sym_interpret[req->firstSI]; --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2026-34001.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2026-34001.patch deleted file mode 100644 index 706d072dfae..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2026-34001.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 7b437ebf64aa7cce60f4260aa506c1cd0a2ff725 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 18 Feb 2026 16:23:23 +0100 -Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence() - -As reported by valgrind: - - == Invalid read of size 8 - == at 0x568C14: miSyncTriggerFence (misync.c:140) - == by 0x540688: ProcSyncTriggerFence (sync.c:1957) - == by 0x540CCC: ProcSyncDispatch (sync.c:2152) - == by 0x4A28C5: Dispatch (dispatch.c:553) - == by 0x4B0B24: dix_main (main.c:274) - == by 0x42915E: main (stubmain.c:34) - == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd - == at 0x4843E43: free (vg_replace_malloc.c:990) - == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) - == by 0x53F14D: FreeAwait (sync.c:1208) - == by 0x4DFB06: doFreeResource (resource.c:888) - == by 0x4DFC59: FreeResource (resource.c:918) - == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) - == by 0x568C52: miSyncTriggerFence (misync.c:142) - == by 0x540688: ProcSyncTriggerFence (sync.c:1957) - == by 0x540CCC: ProcSyncDispatch (sync.c:2152) - == by 0x4A28C5: Dispatch (dispatch.c:553) - == by 0x4B0B24: dix_main (main.c:274) - == by 0x42915E: main (stubmain.c:34) - == Block was alloc'd at - == at 0x4840B26: malloc (vg_replace_malloc.c:447) - == by 0x5E50E1: XNFalloc (utils.c:1129) - == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) - == by 0x53DCA8: SyncInitTrigger (sync.c:414) - == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) - == by 0x540D04: ProcSyncDispatch (sync.c:2160) - == by 0x4A28C5: Dispatch (dispatch.c:553) - == by 0x4B0B24: dix_main (main.c:274) - == by 0x42915E: main (stubmain.c:34) - -When walking the list of fences to trigger, miSyncTriggerFence() may -call TriggerFence() for the current trigger, which end up calling the -function SyncAwaitTriggerFired(). - -SyncAwaitTriggerFired() frees the entire await resource, which removes -all triggers from that await - including pNext which may be another -trigger from the same await attached to the same fence. - -On the next iteration, ptl = pNext points to freed memory... - -To avoid the issue, we need to restart the iteration from the beginning -of the list each time a trigger fires, since the callback can modify the -list. - -CVE-2026-34001, ZDI-CAN-28706 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with TrendAI Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0.patch ---- - miext/sync/misync.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/miext/sync/misync.c b/miext/sync/misync.c -index 48234ef..77b4659 100644 ---- a/miext/sync/misync.c -+++ b/miext/sync/misync.c -@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) - void - miSyncTriggerFence(SyncFence * pFence) - { -- SyncTriggerList *ptl, *pNext; -+ SyncTriggerList *ptl; -+ Bool triggered; - - pFence->funcs.SetTriggered(pFence); - - /* run through triggers to see if any fired */ -- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { -- pNext = ptl->next; -- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) -- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); -- } -+ do { -+ triggered = FALSE; -+ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { -+ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { -+ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); -+ triggered = TRUE; -+ break; -+ } -+ } -+ } while (triggered); - } - - SyncScreenFuncsPtr --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2026-34003.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2026-34003.patch deleted file mode 100644 index 167947db64d..00000000000 --- a/SPECS/xorg-x11-server-Xwayland/CVE-2026-34003.patch +++ /dev/null @@ -1,331 +0,0 @@ -From ed9284eba3818f5f4a097da438a0b978f5bd32ce Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 23 Feb 2026 15:52:49 +0100 -Subject: [PATCH 1/2] xkb: Add additional bound checking in CheckKeyTypes() - -The function CheckKeyTypes() will loop over the client's request but -won't perform any additional bound checking to ensure that the data -read remains within the request bounds. - -As a result, a specifically crafted request may cause CheckKeyTypes() to -read past the request data, as reported by valgrind: - - == Invalid read of size 2 - == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) - == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) - == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) - == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) - == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) - == by 0x4A20DF: Dispatch (dispatch.c:551) - == by 0x4B03B4: dix_main (main.c:277) - == by 0x428941: main (stubmain.c:34) - == Address is 30 bytes after a block of size 28,672 in arena "client" - == - == Invalid read of size 2 - == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) - == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) - == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) - == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) - == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) - == by 0x4A20DF: Dispatch (dispatch.c:551) - == by 0x4B03B4: dix_main (main.c:277) - == by 0x428941: main (stubmain.c:34) - == Address is 2 bytes after a block of size 28,672 alloc'd - == at 0x4848897: realloc (vg_replace_malloc.c:1804) - == by 0x5E357A: ReadRequestFromClient (io.c:336) - == by 0x4A1FAB: Dispatch (dispatch.c:519) - == by 0x4B03B4: dix_main (main.c:277) - == by 0x428941: main (stubmain.c:34) - == - == Invalid write of size 2 - == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) - == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) - == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) - == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) - == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) - == by 0x4A20DF: Dispatch (dispatch.c:551) - == by 0x4B03B4: dix_main (main.c:277) - == by 0x428941: main (stubmain.c:34) - == Address is 2 bytes after a block of size 28,672 alloc'd - == at 0x4848897: realloc (vg_replace_malloc.c:1804) - == by 0x5E357A: ReadRequestFromClient (io.c:336) - == by 0x4A1FAB: Dispatch (dispatch.c:519) - == by 0x4B03B4: dix_main (main.c:277) - == by 0x428941: main (stubmain.c:34) - == - -To avoid that issue, add additional bounds checking within the loops by -calling _XkbCheckRequestBounds() and report an error if we are to read -past the client's request. - -CVE-2026-34003, ZDI-CAN-28736 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with TrendAI Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer -Part-of: ---- - xkb/xkb.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 6c24941..66fa9e3 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -1638,6 +1638,10 @@ CheckKeyTypes(ClientPtr client, - for (i = 0; i < req->nTypes; i++) { - unsigned width; - -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { -+ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); -+ return 0; -+ } - if (client->swapped && doswap) { - swaps(&wire->virtualMods); - } -@@ -1663,7 +1667,18 @@ CheckKeyTypes(ClientPtr client, - xkbModsWireDesc *preWire; - - mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; -+ if (!_XkbCheckRequestBounds(client, req, mapWire, -+ &mapWire[wire->nMapEntries])) { -+ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); -+ return 0; -+ } - preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; -+ if (wire->preserve && -+ !_XkbCheckRequestBounds(client, req, preWire, -+ &preWire[wire->nMapEntries])) { -+ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); -+ return 0; -+ } - for (n = 0; n < wire->nMapEntries; n++) { - if (client->swapped && doswap) { - swaps(&mapWire[n].virtualMods); --- -2.45.4 - - -From 1b240e9a26b0771eb2e8d0d52417855dff9d21f8 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 2 Mar 2026 14:09:57 +0100 -Subject: [PATCH 2/2] xkb: Add more _XkbCheckRequestBounds() - -Similar to the recent fixes, add more _XkbCheckRequestBounds() to the -functions that loop over the request data, i.e.: - - * CheckKeySyms() - * CheckKeyActions() - * CheckKeyBehaviors() - * CheckVirtualMods() - * CheckKeyExplicit() - * CheckVirtualModMap() - * _XkbSetMapChecks() - -All these are static functions so we can add the client to the parameters -without breaking any API. - -See also: -CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737 - -v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives. - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer -Part-of: -Signed-off-by: rpm-build -Upstream-reference: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b.patch https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae.patch ---- - xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 55 insertions(+), 14 deletions(-) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 66fa9e3..7b6bd0a 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -1751,6 +1751,11 @@ CheckKeySyms(ClientPtr client, - KeySym *pSyms; - register unsigned nG; - -+ /* Check we received enough data to read the next xkbSymMapWireDesc */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { -+ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); -+ return 0; -+ } - if (client->swapped && doswap) { - swaps(&wire->nSyms); - } -@@ -1789,6 +1794,12 @@ CheckKeySyms(ClientPtr client, - return 0; - } - pSyms = (KeySym *) &wire[1]; -+ if (wire->nSyms != 0) { -+ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { -+ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); -+ return 0; -+ } -+ } - wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; - } - -@@ -1812,11 +1823,12 @@ CheckKeySyms(ClientPtr client, - } - - static int --CheckKeyActions(XkbDescPtr xkb, -- xkbSetMapReq * req, -- int nTypes, -- CARD8 *mapWidths, -- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) -+CheckKeyActions(ClientPtr client, -+ XkbDescPtr xkb, -+ xkbSetMapReq * req, -+ int nTypes, -+ CARD8 *mapWidths, -+ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) - { - int nActs; - CARD8 *wire = *wireRtrn; -@@ -1827,6 +1839,11 @@ CheckKeyActions(XkbDescPtr xkb, - CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), - 0); - for (nActs = i = 0; i < req->nKeyActs; i++) { -+ /* Check we received enough data to read the next byte on the wire */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { -+ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); -+ return 0; -+ } - if (wire[0] != 0) { - if (wire[0] == symsPerKey[i + req->firstKeyAct]) - nActs += wire[0]; -@@ -1845,7 +1862,8 @@ CheckKeyActions(XkbDescPtr xkb, - } - - static int --CheckKeyBehaviors(XkbDescPtr xkb, -+CheckKeyBehaviors(ClientPtr client, -+ XkbDescPtr xkb, - xkbSetMapReq * req, - xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) - { -@@ -1871,6 +1889,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, - } - - for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { -+ /* Check we received enough data to read the next behavior */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { -+ *errorRtrn = _XkbErrCode3(0x36, first, i); -+ return 0; -+ } - if ((wire->key < first) || (wire->key > last)) { - *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); - return 0; -@@ -1896,7 +1919,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, - } - - static int --CheckVirtualMods(XkbDescRec * xkb, -+CheckVirtualMods(ClientPtr client, -+ XkbDescRec * xkb, - xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) - { - register CARD8 *wire = *wireRtrn; -@@ -1908,12 +1932,18 @@ CheckVirtualMods(XkbDescRec * xkb, - if (req->virtualMods & bit) - nMods++; - } -+ /* Check we received enough data for the number of virtual mods expected */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { -+ *errorRtrn = _XkbErrCode3(0x37, nMods, i); -+ return 0; -+ } - *wireRtrn = (wire + XkbPaddedSize(nMods)); - return 1; - } - - static int --CheckKeyExplicit(XkbDescPtr xkb, -+CheckKeyExplicit(ClientPtr client, -+ XkbDescPtr xkb, - xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) - { - register CARD8 *wire = *wireRtrn; -@@ -1939,6 +1969,11 @@ CheckKeyExplicit(XkbDescPtr xkb, - } - start = wire; - for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { -+ /* Check we received enough data to read the next two bytes */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { -+ *errorRtrn = _XkbErrCode4(0x54, first, last, i); -+ return 0; -+ } - if ((wire[0] < first) || (wire[0] > last)) { - *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); - return 0; -@@ -1990,7 +2025,8 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, - } - - static int --CheckVirtualModMap(XkbDescPtr xkb, -+CheckVirtualModMap(ClientPtr client, -+ XkbDescPtr xkb, - xkbSetMapReq * req, - xkbVModMapWireDesc ** wireRtrn, int *errRtrn) - { -@@ -2014,6 +2050,11 @@ CheckVirtualModMap(XkbDescPtr xkb, - return 0; - } - for (i = 0; i < req->totalVModMapKeys; i++, wire++) { -+ /* Check we received enough data to read the next virtual mod map key */ -+ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { -+ *errRtrn = _XkbErrCode3(0x74, first, i); -+ return 0; -+ } - if ((wire->key < first) || (wire->key > last)) { - *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); - return 0; -@@ -2557,7 +2598,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, - } - - if ((req->present & XkbKeyActionsMask) && -- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, -+ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, - (CARD8 **) &values, &nActions))) { - client->errorValue = nActions; - return BadValue; -@@ -2565,18 +2606,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, - - if ((req->present & XkbKeyBehaviorsMask) && - (!CheckKeyBehaviors -- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { -+ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { - client->errorValue = error; - return BadValue; - } - - if ((req->present & XkbVirtualModsMask) && -- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { -+ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { - client->errorValue = error; - return BadValue; - } - if ((req->present & XkbExplicitComponentsMask) && -- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { -+ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { - client->errorValue = error; - return BadValue; - } -@@ -2587,7 +2628,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, - } - if ((req->present & XkbVirtualModMapMask) && - (!CheckVirtualModMap -- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { -+ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { - client->errorValue = error; - return BadValue; - } --- -2.45.4 - diff --git a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.signatures.json b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.signatures.json index 2d71bd963bd..8587c097408 100644 --- a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.signatures.json +++ b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "xwayland-24.1.6.tar.xz": "737e612ca36bbdf415a911644eb7592cf9389846847b47fa46dc705bd754d2d7" + "xwayland-24.1.12.tar.xz": "6df02c511b92c1b9848734d9d1b03a4c24f8375ba3cada44e9684a21b5f78e21" } } diff --git a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec index c41df4ae175..53952de0b4b 100644 --- a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec +++ b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec @@ -10,8 +10,8 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Summary: Xwayland Name: xorg-x11-server-Xwayland -Version: 24.1.6 -Release: 4%{?dist} +Version: 24.1.12 +Release: 1%{?dist} License: MIT URL: http://www.x.org @@ -88,17 +88,6 @@ BuildRequires: pkgconfig(xcb-image) BuildRequires: pkgconfig(xcb-keysyms) BuildRequires: pkgconfig(xcb-renderutil) -Patch0: CVE-2025-49175.patch -Patch1: CVE-2025-49177.patch -Patch2: CVE-2025-49178.patch -Patch3: CVE-2025-49179.patch -Patch4: CVE-2025-49180.patch -Patch5: CVE-2025-62229.patch -Patch6: CVE-2025-62230.patch -Patch7: CVE-2025-62231.patch -Patch8: CVE-2026-33999.patch -Patch9: CVE-2026-34001.patch -Patch10: CVE-2026-34003.patch %description Xwayland is an X server for running X clients under Wayland. @@ -149,6 +138,9 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %{_libdir}/pkgconfig/xwayland.pc %changelog +* Tue Jun 09 2026 CBL-Mariner Servicing Account - 24.1.12-1 +- Auto-upgrade to 24.1.12 - for CVE-2026-50256, CVE-2026-50257, CVE-2026-50258, CVE-2026-50259, CVE-2026-50260, CVE-2026-50261, CVE-2026-50262 and CVE-2026-50263 + * Wed Apr 29 2026 Azure Linux Security Servicing Account - 24.1.6-4 - Patch for CVE-2026-34003, CVE-2026-34001, CVE-2026-33999 diff --git a/cgmanifest.json b/cgmanifest.json index 91b37690ce6..42dda0e8bf1 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -31108,8 +31108,8 @@ "type": "other", "other": { "name": "xorg-x11-server-Xwayland", - "version": "24.1.6", - "downloadUrl": "https://www.x.org/pub/individual/xserver/xwayland-24.1.6.tar.xz" + "version": "24.1.12", + "downloadUrl": "https://www.x.org/pub/individual/xserver/xwayland-24.1.12.tar.xz" } } },