From alan.coopersmith at oracle.com Sun Feb 2 18:53:42 2025 From: alan.coopersmith at oracle.com (Alan Coopersmith) Date: Sun, 2 Feb 2025 10:53:42 -0800 Subject: [ANNOUNCE] xhost 1.0.10 Message-ID: xhost is used to manage the list of host names or user names allowed to make connections to the X server. Alan Coopersmith (9): gitlab CI: stop requiring Signed-off-by in commits Remove "All rights reserved" from Oracle copyright notices xhost.man: Use .BR markup for all references to other man pages user2netname expects a MAXNETNAMELEN + 1 buffer, so give it one Clear trailing whitespace from lines in files reduce scope of #ifdef'ed variables to reduce #ifdefs Simplify ifdefs for IPv6 support if getaddrinfo() is available, use it, even if IPv6 support is disabled xhost 1.0.10 Peter Hutterer (1): Replace inet_addr()/inet_aton() with a call to inet_pton() git tag: xhost-1.0.10 https://xorg.freedesktop.org/archive/individual/app/xhost-1.0.10.tar.gz SHA256: 10a157a9c818e6ec17764ba22117e006089107a22aacf58be6de089a76a112f4 xhost-1.0.10.tar.gz SHA512: 6d8b63ff22c60b104499343bcc4e0b87e64ab7c02fd71da8d28b341e19d68f6fe453388784696023d330ad6d55925e1c3ab62ea042054ae64aab062989b38cb9 xhost-1.0.10.tar.gz PGP: https://xorg.freedesktop.org/archive/individual/app/xhost-1.0.10.tar.gz.sig https://xorg.freedesktop.org/archive/individual/app/xhost-1.0.10.tar.xz SHA256: a8afd70059479c712948b895e41c35a4a8bfcede3ba2d5a4b855c88bbb725be1 xhost-1.0.10.tar.xz SHA512: 65467b0a096455dae681f8397f5b8b0490a2f80db5cb9f92757cfff8d7822b43833202a275eed8467c6a6aaf3b02e0a7b1a069c5d587d32e56b1893297903051 xhost-1.0.10.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/app/xhost-1.0.10.tar.xz.sig -- -Alan Coopersmith- alan.coopersmith at oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From alan.coopersmith at oracle.com Sun Feb 2 22:19:40 2025 From: alan.coopersmith at oracle.com (Alan Coopersmith) Date: Sun, 2 Feb 2025 14:19:40 -0800 Subject: [ANNOUNCE] libX11 1.8.11 Message-ID: libX11 is the original client-side library for the core X11 protocol. This release includes: * Close xcb connection after freeing display structure to avoid XIO error when running synchronized (!264) * Don't allocate memory for a zero-sized list of directories when `SetFontPath()` is called with `ndirs == 0` (!266) * Fix `-Werror=array-bounds` build failures with gcc 14.2 when `MALLOC_0_RETURNS_NULL` is defined (!267) * Set `data` field to 0 when initializing new requests (!268) * ximcp: don't leak window if `XGetAtomName()` fails (!269) * ximcp: allow XNArea with OnTheSpot (!270) * ximcp: hide internal functions added in 1.8.10 (!271) * Handle `-Wextra-semi-stmt` warnings from clang (!272) * xkb: avoid undefined behavior due to left shift overflow (#225, !273) * Fix misuse of `UCSConvertCase()` in `XConvertCase()` (!274) * drop `pthread-stubs` dependency on Dragonfly, FreeBSD, & NetBSD (!277) Note that a bug in libXrender versions prior to December's 0.9.12 release will cause them to fail to build with the XlibInt.h header from this release, so packagers should be sure to update to libXrender 0.9.12 as well. Aaron Muir Hamilton (1): ximcp/imRm.c: allow XNArea with OnTheSpot Alan Coopersmith (26): SetFontPath: if ndirs is 0, skip work to make a list of directories _XlcDefaultMapModifiers: remove conversions between size_t & int _XimEncodingNegotiation: swap order of arguments to calloc _XimStrConversionCallback: use size_t to calculate size to malloc _XGetRequest: Set data field to 0 when initializing new requests ximcp: don't leak window if XGetAtomName() fails DeqAsyncHandler: add do ... while (0) to avoid -Wextra-semi-stmt warnings Data: add do ... while (0) to avoid -Wextra-semi-stmt warnings set_toupper: add do { ... } while (0) to avoid -Wextra-semi-stmt warnings BufAlloc: add do { ... } while (0) to avoid -Wextra-semi-stmt warnings _XkbCheckPendingRefresh: add do ... while (0) to avoid -Wextra-semi-stmt OneDataCard32: add do ... while (0) to avoid -Wextra-semi-stmt warnings _XCreateMutex/_XFreeMutex: remove trailing semicolon from definitions GetFunc: add do ... while (0) to avoid -Wextra-semi-stmt warnings PutCommandResource: add do ... while (0) to avoid -Wextra-semi-stmt warnings poly.h: add do ... while (0) to avoid -Wextra-semi-stmt warnings RETURN: add do ... while (0) to avoid -Wextra-semi-stmt warnings CI_GET_*_INFO_*: add do ... while (0) to avoid -Wextra-semi-stmt warnings xcb_io.c: add do ... while (0) to avoid -Wextra-semi-stmt warnings DL_APPEND/DL_DELETE: remove trailing semicolon from definitions Xrm.c: remove unneccessary ; after {} XIM_SET_PAD: add do ... while (0) to avoid -Wextra-semi-stmt warnings xkb: avoid undefined behavior due to left shift overflow cmsColNm: remove obsolete comment about FirstCmp being public configure: drop `pthread-stubs` dependency on Dragonfly, FreeBSD, & NetBSD libX11 1.8.11 Julien Cristau (1): ximcp: hide internal functions Olivier Fourdan (2): Close xcb connection after freeing display structure Fix indentation Pierre Le Marre (1): Fix misuse of UCSConvertCase in XConvertCase git tag: libX11-1.8.11 https://xorg.freedesktop.org/archive/individual/lib/libX11-1.8.11.tar.gz SHA256: 17a37d1597354a1d8040196f1cdac54240c78c0bd1a1a95e97cc23215cf0b734 libX11-1.8.11.tar.gz SHA512: d05b4b2e99d29c95e342c70dfb44a6c2de37105d9429a695891bb5772b137367213b37e12a8da1c865bff12a218ebdd984441fd1ed7e100cd30f045386d85833 libX11-1.8.11.tar.gz PGP: https://xorg.freedesktop.org/archive/individual/lib/libX11-1.8.11.tar.gz.sig https://xorg.freedesktop.org/archive/individual/lib/libX11-1.8.11.tar.xz SHA256: 3b74e82943924b45a0b778cc6842976909c3010d9445a8fd185e1dca4d380e88 libX11-1.8.11.tar.xz SHA512: 4e2191258039ad0ea7fe5d22b8b0ab5e1d101b20fa4cd0fb44c5e1ac8b2ffbb3a0ad80ac3a67a3803ca30b972476b739a0c244b2ac8b7de6a32b06dc4e2c674b libX11-1.8.11.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/lib/libX11-1.8.11.tar.xz.sig -- -Alan Coopersmith- alan.coopersmith at oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From ofourdan at redhat.com Wed Feb 5 13:52:49 2025 From: ofourdan at redhat.com (Olivier Fourdan) Date: Wed, 5 Feb 2025 14:52:49 +0100 Subject: [ANNOUNCE] xwayland 24.1.5 Message-ID: <46aa8aee-0867-40b7-b1ea-bada5023ef96@redhat.com> I am pleased to announce Xwayland 24.1.5, a bugfix release for the current stable 24.1 branch of Xwayland. Alan Coopersmith (6): os: NextDPMSTimeout: mark intentional fallthroughs in switch Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL render: avoid NULL pointer dereference if PictureFindVisual returns NULL dix: fix button offset when generating DeviceButtonStateNotify events dix: limit checks to MAX_VALUATORS when generating Xi events dix-config.h: add HAVE_SOCKLEN_T definition Julian Orth (2): xwayland: copy repeat settings from the compositor map xwayland: Don't run key behaviors and actions Michel D?nzer (5): xwayland/glamor/gbm: Don't close fence_fd after xwl_glamor_wait_fence xwayland/present: Check allow_commits in xwl_present_flip xwayland/glamor: Drop expecting_event bailing from xwl_drm_handle_device xwayland: Always decrement expecting_event in xwl_output_create xwayland/glamor: Clean-up GBM's screen private on failure Olivier Fourdan (5): xwayland: Do not keep the cursor's pixmap around xkb: Always use MAP_LENGTH keymap size os/connection: Make sure partial is initialized xwayland/glamor: Disable GLAMOR after GBM cleanup Bump version to 24.1.5 Pierre-Eric Pelloux-Prayer (3): glamor: return the result of gbm_format_for_depth glamor: use gbm_format_for_depth instead of open-coding it glamor: reject configs using unsupported rgbBits size YaoBing Xiao (1): xwayland: prevent potential null pointer dereference git tag: xwayland-24.1.5 https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.5.tar.xz SHA256: cb4bd170e6fa6b545ba0567be8f693d2eeccfc62d04c67037dd14f06daad361d xwayland-24.1.5.tar.xz SHA512: 4c821e62013c2c79edff364c3c5e34c58f9b0e0c411baba23d9ebe3fe1daf8bbb99e56b6041c5cba66a219d9f80c469a5ee1238cef728eda197f19e7bba1e74a xwayland-24.1.5.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.5.tar.xz.sig -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x14706DBE1E4B4540.asc Type: application/pgp-keys Size: 2988 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: From ofourdan at redhat.com Tue Feb 25 15:39:48 2025 From: ofourdan at redhat.com (Olivier Fourdan) Date: Tue, 25 Feb 2025 16:39:48 +0100 Subject: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Message-ID: <8511e4a8-8798-4d92-b61d-60be8eb85dda@redhat.com> ====================================================================== X.Org Security Advisory: February 25, 2025 Issues in X.Org X server prior to 21.1.16 and Xwayland prior to 24.1.6 ====================================================================== Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.16 and xwayland-24.1.6. 1) CVE-2025-26594: Use-after-free of the root cursor Introduced in: Unknown - Prior to X11R6.6 Xorg baseline Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The root cursor is referenced in the xserver as a global variable. If a client manages to free the root cursor, the internal reference points to freed memory and causes a use-after-free. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 2) CVE-2025-26595: Buffer overflow in XkbVModMaskText() Introduced in: Prior to X11R6.1 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code however fails to check the bounds of the buffer correctly and would copy the data regardless of the size, which may lead to a buffer overflow. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms() Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), which may lead to a heap based buffer overflow. xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue. 4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey() Introduced in: X11R6.1 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative If XkbChangeTypesOfKey() is called with 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size. 5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() Introduced in: xorg-server-1.14.0 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The function GetBarrierDevice() searches for the pointer device based on its device id and returns the matching value, or supposedly NULL if no match was found. However the code will return the last element of the list if no matching device id was found which can lead to out of bounds memory access. 6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() Introduced in: Xorg 6.8.0. Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without the validation of the window tree marked just before, which leaves the validate data partly initialized, and the use of an uninitialized pointer later. 7) CVE-2025-26600: Use-after-free in PlayReleasedEvents() Introduced in: X11R5 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative When a device is removed while still frozen, the events queued for that device remain while the device itself is freed and replaying the events will cause a use after free. 8) CVE-2025-26601: Use-after-free in SyncInitTrigger() Introduced in: X11R6 Fixed in: xorg-server-21.1.16 and xwayland-24.1.6 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object. This can be used to cause a use after free when the alarm eventually triggers. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x14706DBE1E4B4540.asc Type: application/pgp-keys Size: 2988 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: From ofourdan at redhat.com Tue Feb 25 19:04:41 2025 From: ofourdan at redhat.com (Olivier Fourdan) Date: Tue, 25 Feb 2025 20:04:41 +0100 Subject: [ANNOUNCE] xorg-server 21.1.16 Message-ID: <52c54ec9-8942-4230-89f5-5401bd635e60@redhat.com> This release contains the fix for the issue reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html * CVE-2025-26594 * CVE-2025-26595 * CVE-2025-26596 * CVE-2025-26597 * CVE-2025-26598 * CVE-2025-26599 * CVE-2025-26600 * CVE-2025-26601 Additionally, it also contains several other fixes, see below: Alan Coopersmith (7): os: NextDPMSTimeout: mark intentional fallthroughs in switch xfree86: avoid memory leak on realloc failure Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL render: avoid NULL pointer dereference if PictureFindVisual returns NULL dix: fix button offset when generating DeviceButtonStateNotify events dix: limit checks to MAX_VALUATORS when generating Xi events modesetting: avoid memory leak when ms_present_check_unflip() returns FALSE Daniel Kahn Gillmor (1): autotools: enable static use of Nettle for SHA1 Doug Brown (1): dri2: Protect against dri2ClientPrivate assertion failures Olivier Fourdan (18): glamor: Fix possible double-free os: Fix NULL pointer dereference xkb: Always use MAP_LENGTH keymap size os/connection: Make sure partial is initialized test: Fix xsync test Cursor: Refuse to free the root cursor xkb: Fix buffer overflow in XkbVModMaskText() xkb: Fix computation of XkbSizeKeySyms xkb: Fix buffer overflow in XkbChangeTypesOfKey() Xi: Fix barrier device search composite: Handle failure to redirect in compRedirectWindow() composite: initialize border clip even when pixmap alloc fails dix: Dequeue pending events on frozen device on removal sync: Do not let sync objects uninitialized sync: Check values before applying changes sync: Do not fail SyncAddTriggerToSyncObject() sync: Apply changes last in SyncChangeAlarmAttributes() xserver 21.1.16 Patrik Jakobsson (1): modesetting: Fix dirty updates for sw rotation Peter Hutterer (3): dix: don't push the XKB state to a non-existing master keyboard Xi: when removing a master search for a disabled paired device dix: keep a ref to the rootCursor Tj (1): xfree86: fbdevhw: fix pci detection on recent Linux git tag: xorg-server-21.1.16 https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.gz SHA256: 59fa52b63f6f8747ee2c4716decb29ced249c4c574e2a18c96b7d3b1420f7fd9 xorg-server-21.1.16.tar.gz SHA512: d0cd176e4c7273b6870999a3d008ed282fd5609acb2e0919c16447af3a5b2228d8592424388a8ace67acf216cdfae3a2d52f7a7ba81f6071467c61d57f32f314 xorg-server-21.1.16.tar.gz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.gz.sig https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.xz SHA256: b14a116d2d805debc5b5b2aac505a279e69b217dae2fae2dfcb62400471a9970 xorg-server-21.1.16.tar.xz SHA512: 38fd4232a293a497d13f8b57e85e84cf6a531453a7d8d5de1a77d67ceaf8714d5770951a8a21f1b3f519e83be1fc0926dce269846e75a8b11aa1062dd507f67d xorg-server-21.1.16.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xorg-server-21.1.16.tar.xz.sig -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x14706DBE1E4B4540.asc Type: application/pgp-keys Size: 2988 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: From ofourdan at redhat.com Tue Feb 25 19:10:00 2025 From: ofourdan at redhat.com (Olivier Fourdan) Date: Tue, 25 Feb 2025 20:10:00 +0100 Subject: [ANNOUNCE] xwayland 24.1.6 Message-ID: This release contains the fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html * CVE-2025-26594 * CVE-2025-26595 * CVE-2025-26596 * CVE-2025-26597 * CVE-2025-26598 * CVE-2025-26599 * CVE-2025-26600 * CVE-2025-26601 Additionally, it reverts a recent Xkb change to fix an issue with gamescope. Olivier Fourdan (15): Revert "xwayland: Don't run key behaviors and actions" test: Fix xsync test Cursor: Refuse to free the root cursor xkb: Fix buffer overflow in XkbVModMaskText() xkb: Fix computation of XkbSizeKeySyms xkb: Fix buffer overflow in XkbChangeTypesOfKey() Xi: Fix barrier device search composite: Handle failure to redirect in compRedirectWindow() composite: initialize border clip even when pixmap alloc fails dix: Dequeue pending events on frozen device on removal sync: Do not let sync objects uninitialized sync: Check values before applying changes sync: Do not fail SyncAddTriggerToSyncObject() sync: Apply changes last in SyncChangeAlarmAttributes() Bump version to 24.1.6 Peter Hutterer (1): dix: keep a ref to the rootCursor git tag: xwayland-24.1.6 https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.6.tar.xz SHA256: 737e612ca36bbdf415a911644eb7592cf9389846847b47fa46dc705bd754d2d7 xwayland-24.1.6.tar.xz SHA512: b6dcc87f5c4d880cb23216518171a704c2a501803ac2efd9d01760895d755a617cd82313c6516f27a888b0581c64d74e3f8db5c238e1ae0d13da6cc1a547c02f xwayland-24.1.6.tar.xz PGP: https://xorg.freedesktop.org/archive/individual/xserver/xwayland-24.1.6.tar.xz.sig -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x14706DBE1E4B4540.asc Type: application/pgp-keys Size: 2988 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: