Sync from SUSE:SLFO:Main xwayland revision 9f54ba4da86c50a8c0080729bcb84163

U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch

@@ -1,45 +0,0 @@
-From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:51:45 -0700
-Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
- to send reply
-
-CVE-2024-31080
-
-Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
-Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
----
- Xi/xiselectev.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index edcb8a0d3..ac1494987 100644
---- a/Xi/xiselectev.c
-+++ b/Xi/xiselectev.c
-@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
-     InputClientsPtr others = NULL;
-     xXIEventMask *evmask = NULL;
-     DeviceIntPtr dev;
-+    uint32_t length;
- 
-     REQUEST(xXIGetSelectedEventsReq);
-     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
-@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIGetSelectedEvents swaps it */
-+    length = reply.length;
-     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
- 
-     if (reply.num_masks)
--        WriteToClient(client, reply.length * 4, buffer);
-+        WriteToClient(client, length * 4, buffer);
- 
-     free(buffer);
-     return Success;
--- 
-2.35.3
-

U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch

@@ -1,43 +0,0 @@
-From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:56:27 -0700
-Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
- to send reply
-
-CVE-2024-31081
-
-Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
----
- Xi/xipassivegrab.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index c9ac2f855..896233bec 100644
---- a/Xi/xipassivegrab.c
-+++ b/Xi/xipassivegrab.c
-@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-     GrabParameters param;
-     void *tmp;
-     int mask_len;
-+    uint32_t length;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
-     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIPassiveGrabDevice swaps it */
-+    length = rep.length;
-     WriteReplyToClient(client, sizeof(rep), &rep);
-     if (rep.num_modifiers)
--        WriteToClient(client, rep.length * 4, modifiers_failed);
-+        WriteToClient(client, length * 4, modifiers_failed);
- 
-  out:
-     free(modifiers_failed);
--- 
-2.35.3
-

U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch

@@ -1,110 +0,0 @@
-From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 30 Jan 2024 13:13:35 +1000
-Subject: [PATCH 4/4] render: fix refcounting of glyphs during
- ProcRenderAddGlyphs
-
-Previously, AllocateGlyph would return a new glyph with refcount=0 and a
-re-used glyph would end up not changing the refcount at all. The
-resulting glyph_new array would thus have multiple entries pointing to
-the same non-refcounted glyphs.
-
-AddGlyph may free a glyph, resulting in a UAF when the same glyph
-pointer is then later used.
-
-Fix this by returning a refcount of 1 for a new glyph and always
-incrementing the refcount for a re-used glyph, followed by dropping that
-refcount back down again when we're done with it.
-
-CVE-2024-31083, ZDI-CAN-22880
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
----
- render/glyph.c         |  5 +++--
- render/glyphstr.h |  1 +
- render/render.c        | 15 +++++++++++----
- 3 files changed, 15 insertions(+), 6 deletions(-)
-
-Index: xwayland-22.1.5/render/glyph.c
-===================================================================
---- xwayland-22.1.5.orig/render/glyph.c
-+++ xwayland-22.1.5/render/glyph.c
-@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
-     }
- }
- 
--static void
-+void
- FreeGlyph(GlyphPtr glyph, int format)
- {
-     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
-+    BUG_RETURN(glyph->refcnt == 0);
-     if (--glyph->refcnt == 0) {
-         GlyphRefPtr gr;
-         int i;
-@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdept
-     glyph = (GlyphPtr) malloc(size);
-     if (!glyph)
-         return 0;
--    glyph->refcnt = 0;
-+    glyph->refcnt = 1;
-     glyph->size = size + sizeof(xGlyphInfo);
-     glyph->info = *gi;
-     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
-Index: xwayland-22.1.5/render/glyphstr.h
-===================================================================
---- xwayland-22.1.5.orig/render/glyphstr.h
-+++ xwayland-22.1.5/render/glyphstr.h
-@@ -109,6 +109,8 @@ extern GlyphPtr FindGlyph(GlyphSetPtr gl
- 
- extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
- 
-+extern void FreeGlyph(GlyphPtr glyph, int format);
-+
- extern Bool
-  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
- 
-Index: xwayland-22.1.5/render/render.c
-===================================================================
---- xwayland-22.1.5.orig/render/render.c
-+++ xwayland-22.1.5/render/render.c
-@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
- 
-         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
-             glyph_new->found = TRUE;
-+            ++glyph_new->glyph->refcnt;
-         }
-         else {
-             GlyphPtr glyph;
-@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
-         err = BadAlloc;
-         goto bail;
-     }
--    for (i = 0; i < nglyphs; i++)
-+    for (i = 0; i < nglyphs; i++) {
-         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
-+        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
-+    }
- 
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
-         FreePicture((void *) pSrc, 0);
-     if (pSrcPix)
-         FreeScratchPixmapHeader(pSrcPix);
--    for (i = 0; i < nglyphs; i++)
--        if (glyphs[i].glyph && !glyphs[i].found)
--            free(glyphs[i].glyph);
-+    for (i = 0; i < nglyphs; i++) {
-+        if (glyphs[i].glyph) {
-+            --glyphs[i].glyph->refcnt;
-+            if (!glyphs[i].found)
-+                free(glyphs[i].glyph);
-+        }
-+    }
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-     return err;

U_CVE-2025-49175-render-Avoid-0-or-less-animated-cursors.patch

@@ -0,0 +1,83 @@
+From 8c5f521c0492941794301afe107a2ee5030128af Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 28 Mar 2025 09:43:52 +0100
+Subject: [PATCH xserver] render: Avoid 0 or less animated cursors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Animated cursors use a series of cursors that the client can set.
+
+By default, the Xserver assumes at least one cursor is specified
+while a client may actually pass no cursor at all.
+
+That causes an out-of-bound read creating the animated cursor and a
+crash of the Xserver:
+
+ | Invalid read of size 8
+ |    at 0x5323F4: AnimCursorCreate (animcur.c:325)
+ |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |  Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
+ |    at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
+ |    by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |
+ | Invalid read of size 2
+ |    at 0x5323F7: AnimCursorCreate (animcur.c:325)
+ |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |  Address 0x8 is not stack'd, malloc'd or (recently) free'd
+
+To avoid the issue, check the number of cursors specified and return a
+BadValue error in both the proc handler (early) and the animated cursor
+creation (as this is a public function) if there is 0 or less cursor.
+
+CVE-2025-49175
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+---
+ render/animcur.c | 3 +++
+ render/render.c  | 2 ++
+ 2 files changed, 5 insertions(+)
+
+Index: xwayland-24.1.6/render/animcur.c
+===================================================================
+--- xwayland-24.1.6.orig/render/animcur.c
++++ xwayland-24.1.6/render/animcur.c
+@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CAR
+     int rc = BadAlloc, i;
+     AnimCurPtr ac;
+ 
++    if (ncursor <= 0)
++        return BadValue;
++
+     for (i = 0; i < screenInfo.numScreens; i++)
+         if (!GetAnimCurScreen(screenInfo.screens[i]))
+             return BadImplementation;
+Index: xwayland-24.1.6/render/render.c
+===================================================================
+--- xwayland-24.1.6.orig/render/render.c
++++ xwayland-24.1.6/render/render.c
+@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr cli
+     ncursor =
+         (client->req_len -
+          (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
++    if (ncursor <= 0)
++        return BadValue;
+     cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+     if (!cursors)
+         return BadAlloc;

U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch

@@ -0,0 +1,30 @@
+From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: xorg-server-21.1.15/os/io.c
+===================================================================
+--- xorg-server-21.1.15.orig/os/io.c
++++ xorg-server-21.1.15/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+                     needed = get_big_req_len(request, client);
+             }
+             client->req_len = needed;
++            if (needed > MAXINT >> 2)
++                return -(BadLength);
+             needed <<= 2;
+         }
+         if (gotnow < needed) {

U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch

@@ -0,0 +1,84 @@
+From d725dfd9455ab1e5393ec46f1cd725e3a784b9cc Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 7 Apr 2025 16:13:34 +0200
+Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The BigRequest extension allows request larger than the 16-bit length
+limit.
+
+It uses integers for the request length and checks for the size not to
+exceed the maxBigRequestSize limit, but does so after translating the
+length to integer by multiplying the given size in bytes by 4.
+
+In doing so, it might overflow the integer size limit before actually
+checking for the overflow, defeating the purpose of the test.
+
+To avoid the issue, make sure to check that the request size does not
+overflow the maxBigRequestSize limit prior to any conversion.
+
+The caller Dispatch() function however expects the return value to be in
+bytes, so we cannot just return the converted value in case of error, as
+that would also overflow the integer size.
+
+To preserve the existing API, we use a negative value for the X11 error
+code BadLength as the function only return positive values, 0 or -1 and
+update the caller Dispatch() function to take that case into account to
+return the error code to the offending client.
+
+CVE-2025-49176
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+---
+ dix/dispatch.c | 9 +++++----
+ os/io.c        | 4 ++++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+Index: xwayland-24.1.6/dix/dispatch.c
+===================================================================
+--- xwayland-24.1.6.orig/dix/dispatch.c
++++ xwayland-24.1.6/dix/dispatch.c
+@@ -517,9 +517,10 @@ Dispatch(void)
+ 
+                 /* now, finally, deal with client requests */
+                 result = ReadRequestFromClient(client);
+-                if (result <= 0) {
+-                    if (result < 0)
+-                        CloseDownClient(client);
++                if (result == 0)
++                    break;
++                else if (result == -1) {
++                    CloseDownClient(client);
+                     break;
+                 }
+ 
+@@ -540,7 +541,7 @@ Dispatch(void)
+                                           client->index,
+                                           client->requestBuffer);
+ #endif
+-                if (result > (maxBigRequestSize << 2))
++                if (result < 0 || result > (maxBigRequestSize << 2))
+                     result = BadLength;
+                 else {
+                     result = XaceHookDispatch(client, client->majorOp);
+Index: xwayland-24.1.6/os/io.c
+===================================================================
+--- xwayland-24.1.6.orig/os/io.c
++++ xwayland-24.1.6/os/io.c
+@@ -299,6 +299,10 @@ ReadRequestFromClient(ClientPtr client)
+                 needed = get_big_req_len(request, client);
+         }
+         client->req_len = needed;
++        if (needed > MAXINT >> 2) {
++            /* Check for potential integer overflow */
++            return -(BadLength);
++        }
+         needed <<= 2;           /* needed is in bytes now */
+     }
+     if (gotnow < needed) {

U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch

@@ -0,0 +1,47 @@
+From eb1c0386535c5a6451cbf21ca351087ebfafb025 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:05:36 +0200
+Subject: [PATCH xserver] xfixes: Check request length for
+ SetClientDisconnectMode
+
+The handler of XFixesSetClientDisconnectMode does not check the client
+request length.
+
+A client could send a shorter request and read data from a former
+request.
+
+Fix the issue by checking the request size matches.
+
+CVE-2025-49177
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xfixes/disconnect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: xwayland-24.1.6/xfixes/disconnect.c
+===================================================================
+--- xwayland-24.1.6.orig/xfixes/disconnect.c
++++ xwayland-24.1.6/xfixes/disconnect.c
+@@ -69,6 +69,7 @@ ProcXFixesSetClientDisconnectMode(Client
+     ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
+ 
+     REQUEST(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     pDisconnect->disconnect_mode = stuff->disconnect_mode;
+ 
+@@ -82,7 +83,7 @@ SProcXFixesSetClientDisconnectMode(Clien
+ 
+     swaps(&stuff->length);
+ 
+-    REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     swapl(&stuff->disconnect_mode);
+ 

U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch

@@ -0,0 +1,42 @@
+From 247f1622fa8d48783b4ed5d5154791c171f00e18 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:46:03 +0200
+Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input
+ buffer
+
+When reading requests from the clients, the input buffer might be shared
+and used between different clients.
+
+If a given client sends a full request with non-zero bytes to ignore,
+the bytes to ignore may still be non-zero even though the request is
+full, in which case the buffer could be shared with another client who's
+request will not be processed because of those bytes to ignore, leading
+to a possible hang of the other client request.
+
+To avoid the issue, make sure we have zero bytes to ignore left in the
+input request when sharing the input buffer with another client.
+
+CVE-2025-49178
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: xwayland-24.1.6/os/io.c
+===================================================================
+--- xwayland-24.1.6.orig/os/io.c
++++ xwayland-24.1.6/os/io.c
+@@ -445,7 +445,7 @@ ReadRequestFromClient(ClientPtr client)
+      */
+ 
+     gotnow -= needed;
+-    if (!gotnow)
++    if (!gotnow && !oci->ignoreBytes)
+         AvailableInput = oc;
+     if (move_header) {
+         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {

U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch

@@ -0,0 +1,58 @@
+From 244101ac9d4c6963416cfc74f2174d440f1cb4b6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 11:47:15 +0200
+Subject: [PATCH xserver] record: Check for overflow in
+ RecordSanityCheckRegisterClients()
+
+The RecordSanityCheckRegisterClients() checks for the request length,
+but does not check for integer overflow.
+
+A client might send a very large value for either the number of clients
+or the number of protocol ranges that will cause an integer overflow in
+the request length computation, defeating the check for request length.
+
+To avoid the issue, explicitly check the number of clients against the
+limit of clients (which is much lower than an maximum integer value) and
+the number of protocol ranges (multiplied by the record length) do not
+exceed the maximum integer value.
+
+This way, we ensure that the final computation for the request length
+will not overflow the maximum integer limit.
+
+CVE-2025-49179
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ record/record.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: xwayland-24.1.6/record/record.c
+===================================================================
+--- xwayland-24.1.6.orig/record/record.c
++++ xwayland-24.1.6/record/record.c
+@@ -37,6 +37,7 @@ and Jim Haggerty of Metheus.
+ #endif
+ 
+ #include "dix/eventconvert.h"
++#include "os/osdep.h"
+ 
+ #include "dixstruct.h"
+ #include "extnsionst.h"
+@@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordC
+     int i;
+     XID recordingClient;
+ 
++    /* LIMITCLIENTS is 2048 at max, way less that MAXINT */
++    if (stuff->nClients > LIMITCLIENTS)
++        return BadValue;
++
++    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
++        return BadValue;
++
+     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
+         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
+         return BadLength;

U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch

@@ -0,0 +1,37 @@
+From ca652633c02ceb054143207d71d24a8123733c27 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 20 May 2025 15:18:19 +0200
+Subject: [PATCH xserver 1/2] randr: Check for overflow in
+ RRChangeProviderProperty()
+
+A client might send a request causing an integer overflow when computing
+the total size to allocate in RRChangeProviderProperty().
+
+To avoid the issue, check that total length in bytes won't exceed the
+maximum integer value.
+
+CVE-2025-49180
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ randr/rrproviderproperty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: xwayland-24.1.6/randr/rrproviderproperty.c
+===================================================================
+--- xwayland-24.1.6.orig/randr/rrproviderproperty.c
++++ xwayland-24.1.6/randr/rrproviderproperty.c
+@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr p
+ 
+     if (mode == PropModeReplace || len > 0) {
+         void *new_data = NULL, *old_data = NULL;
+-
++        if (total_len > MAXINT / size_in_bytes)
++            return BadValue;
+         total_size = total_len * size_in_bytes;
+         new_value.data = (void *) malloc(total_size);
+         if (!new_value.data && total_size) {

U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch

@@ -1,74 +0,0 @@
-From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 5 Apr 2024 15:24:49 +0200
-Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
-
-ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
-then frees it using FreeGlyph() to decrease the reference count, after
-AddGlyph() has increased it.
-
-AddGlyph() however may chose to reuse an existing glyph if it's already
-in the glyphSet, and free the glyph that was given, in which case the
-caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
-already freed glyph, as reported by ASan:
-
-  READ of size 4 thread T0
-    #0 in FreeGlyph xserver/render/glyph.c:252
-    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
-    #2 in Dispatch xserver/dix/dispatch.c:546
-    #3 in dix_main xserver/dix/main.c:271
-    #4 in main xserver/dix/stubmain.c:34
-    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-    #6 in __libc_start_main_impl ../csu/libc-start.c:360
-    #7  (/usr/bin/Xwayland+0x44fe4)
-  Address is located 0 bytes inside of 64-byte region
-  freed by thread T0 here:
-    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
-    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
-    #2 in AddGlyph xserver/render/glyph.c:295
-    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
-    #4 in Dispatch xserver/dix/dispatch.c:546
-    #5 in dix_main xserver/dix/main.c:271
-    #6 in main xserver/dix/stubmain.c:34
-    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  previously allocated by thread T0 here:
-    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
-    #1 in AllocateGlyph xserver/render/glyph.c:355
-    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
-    #3 in Dispatch xserver/dix/dispatch.c:546
-    #4 in dix_main xserver/dix/main.c:271
-    #5 in main xserver/dix/stubmain.c:34
-    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
-
-To avoid that, make sure not to free the given glyph in AddGlyph().
-
-v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
-v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
-
-Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
-Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
----
- render/glyph.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index d5fc5f3c9..f5069d42f 100644
---- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
-     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
-                       TRUE, glyph->sha1);
-     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
--        FreeGlyphPicture(glyph);
--        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
-         glyph = gr->glyph;
-     }
-     else if (gr->glyph != glyph) {
--- 
-2.35.3
-

xwayland.changes

@@ -1,22 +1,272 @@
 -------------------------------------------------------------------
-Wed Apr 10 13:50:16 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+Sun Jun 22 12:27:52 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
 
-- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
-  * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, 
-    boo#1222442, gitlab xserver issue #1659)
+- U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
+  * additional fix for CVE-2025-49176
 
 -------------------------------------------------------------------
-Thu Apr  4 13:34:37 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+Thu Jun  5 12:55:30 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
 
-- U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
-  * Xi: ProcXIGetSelectedEvents needs to use unswapped length 
-    (CVE-2024-31080, bsc#1222309)
-- U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
-  * Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply
-    (CVE-2024-31081, bsc#1222310) 
-- U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
-  * render: fix refcounting of glyphs during ProcRenderAddGlyphs
-    (CVE-2024-31083, bsc#1222312)
+- U_CVE-2025-49175-render-Avoid-0-or-less-animated-cursors.patch
+  * Out-of-bounds access in X Rendering extension (Animated cursors)
+    (CVE-2025-49175, bsc#1244082)
+- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
+  * Integer overflow in Big Requests Extension
+    (CVE-2025-49176, bsc#1244084)
+- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
+  * Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
+    (CVE-2025-49177, bsc#1244085)
+- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
+  * Unprocessed client request via bytes to ignore 
+    (CVE-2025-49178, bsc#1244087)
+- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
+  * Integer overflow in X Record extension
+    (CVE-2025-49179, bsc#1244089)
+- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
+  * Integer overflow in RandR extension (RRChangeProviderProperty)
+    (CVE-2025-49180, bsc#1244090)
+
+-------------------------------------------------------------------
+Tue Feb 25 22:20:48 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 24.1.6:
+  * This release contains the fixes for the issues reported in
+    today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
+    CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597,
+    CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601.
+  * Additionally, it reverts a recent Xkb change to fix an issue
+    with gamescope.
+- Drop patches fixed upstream:
+  * U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch
+  * U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch
+  * U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
+  * U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch
+  * U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
+  * U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch
+  * U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch
+  * U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch
+  * U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch
+  * U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch
+  * U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch
+  * U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch
+  * U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch
+
+-------------------------------------------------------------------
+Tue Feb 25 18:08:33 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch
+  U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch
+  * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427)
+- U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
+  * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429)
+- U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch
+  * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430)
+- U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
+  * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431)
+- U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch
+  * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432)
+- U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch
+  U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch
+  * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433)
+- U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch
+  * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434)
+- U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch
+  U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch
+  U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch
+  U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch
+  * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435)
+
+-------------------------------------------------------------------
+Thu Feb  6 11:54:10 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to 24.1.5
+  * os: NextDPMSTimeout: mark intentional fallthroughs in switch
+  * Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL
+  * render: avoid NULL pointer dereference if PictureFindVisual returns NULL
+  * dix: fix button offset when generating DeviceButtonStateNotify events
+  * dix: limit checks to MAX_VALUATORS when generating Xi events
+  * dix-config.h: add HAVE_SOCKLEN_T definition
+  * xwayland: copy repeat settings from the compositor map
+  * xwayland: Don't run key behaviors and actions
+  * xwayland/glamor/gbm: Don't close fence_fd after xwl_glamor_wait_fence
+  * xwayland/present: Check allow_commits in xwl_present_flip
+  * xwayland/glamor: Drop expecting_event bailing from xwl_drm_handle_device
+  * xwayland: Always decrement expecting_event in xwl_output_create
+  * xwayland/glamor: Clean-up GBM's screen private on failure
+  * xwayland: Do not keep the cursor's pixmap around
+  * xkb: Always use MAP_LENGTH keymap size
+  * os/connection: Make sure partial is initialized
+  * xwayland/glamor: Disable GLAMOR after GBM cleanup
+  * glamor: return the result of gbm_format_for_depth
+  * glamor: use gbm_format_for_depth instead of open-coding it
+  * glamor: reject configs using unsupported rgbBits size
+  * xwayland: prevent potential null pointer dereference
+
+-------------------------------------------------------------------
+Tue Oct 29 19:29:21 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Security update 24.1.4
+  This release addresses the following security issue
+  * CVE-2024-9632: Heap-based buffer overflow privilege escalation
+    in _XkbSetCompatMap (bsc#1231565)
+
+-------------------------------------------------------------------
+Thu Oct  3 21:35:10 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to bugfix release 24.1.3
+  * dix: check for calloc() failure in Xi event conversion routines
+  * dix: PolyText: fully initialize local_closure
+  * dix: SetFontPath: don't set errorValue on Success
+  * dix: enterleave.c: fix implicit fallthrough warnings
+  * dix: CreateScratchGC: avoid dereference of pointer we just set to NULL
+  * dix: InitPredictableAccelerationScheme: avoid memory leak on failure
+  * dix: dixChangeWindowProperty: don't call memcpy if malloc failed
+  * dix: ProcListProperties: skip unneeded work if numProps is 0
+  * dix: HashResourceID: use unsigned integers for bit shifting
+  * dix: GetPairedDevice: check if GetMaster returned NULL
+  * dix: FindBestPixel: fix implicit fallthrough warning
+  * CI: clone libdecor from fd.o instead of gnome.org
+  * CI: update libdecor from 0.1.0 to 0.1.1
+  * Don't crash if the client argv or argv[0] is NULL.
+  * Return NULL in *cmdname if the client argv or argv[0] is NULL
+  * xwayland: connect to the wl display before calling into EGL
+  * xwayland: Report correct mode size when rootful
+  * build: Move epoll dependency check
+  * build: Add epoll to Xwayland for DragonFly and OpenBSD
+  * build: Fix DRI3 on DragonFly and OpenBSD
+  * os: Fix NULL pointer dereference
+  * dix: don't push the XKB state to a non-existing master keyboard
+  * Xi: when removing a master search for a disabled paired device
+
+-------------------------------------------------------------------
+Tue Sep 24 11:24:48 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- added conflicts to patterns-wsl-tmpfiles as this patterns package
+  creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and
+  therefore prevents Xwayland from creating this needed directory
+  (bsc#1230755)
+
+-------------------------------------------------------------------
+Sat Aug 24 20:14:05 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to bugfix release 24.1.2
+  * This release addresses several issues, including the first
+    events being skipped with input emulation using libEI or a fix
+    with rendering using the UYVY format with the X-Video extension
+    using GLAMOR.
+
+-------------------------------------------------------------------
+Thu Jul 11 13:46:12 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- added version specific requirements for dri3proto, presentproto
+  and wayland-protocols
+
+-------------------------------------------------------------------
+Thu Jul 11 13:17:54 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- This supersedes the following patches
+  * U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
+  * U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
+  * U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
+  * U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch 
+  which fixed security issues 
+  * CVE-2024-31080 (bsc#1222309)
+  * CVE-2024-31081 (bsc#1222310)
+  * CVE-2024-31083 (bsc#1222312)
+  and a regression due to a security fix for CVE-2024-31083 (bsc#1222312,
+  boo#1222442, gitlab xserver issue #1659)
+
+-------------------------------------------------------------------
+Thu Jul 11 11:43:22 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to bugfix release 24.1.1 for the current stable 24.1
+  branch of Xwayland
+  * xwayland: fix segment fault in `xwl_glamor_gbm_init_main_dev`
+  * os: Explicitly include X11/Xmd.h for CARD32 definition to fix
+    building on i686
+  * present: On *BSD, epoll-shim is needed to emulate eventfd()
+  * xwayland: Stop on first unmapped child
+  * xwayland/window-buffers: Promote xwl_window_buffer
+  * xwayland/window-buffers: Add xwl_window_buffer_release()
+  * xwayland/glamor/gbm: Copy explicit sync code to GLAMOR/GBM
+  * xwayland/window-buffers: Use synchronization from GLAMOR/GBM
+  * xwayland/window-buffers: Do not always set syncpnts
+  * xwayland/window-buffers: Move code to submit pixmaps
+  * xwayland/window-buffers: Set syncpnts for all pixmaps
+  * xwayland: Move xwl_window disposal to its own function
+  * xwayland: Make sure we do not leak xwl_window on destroy
+  * wayland/window-buffers: Move buffer disposal to its own function
+  * xwayland/window-buffers: optionally force disposal
+  * wayland: Force disposal of windows buffers for root on destroy
+  * xwayland: Check for pointer in xwl_seat_leave_ptr()
+  * xwayland: remove includedir from pkgconfig
+
+-------------------------------------------------------------------
+Wed Jun  5 11:27:13 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- disable DPMS on sle15 due to missing proto package
+
+-------------------------------------------------------------------
+Wed May 15 17:19:45 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to feature release 24.1.0
+  * This fixes a couple of regressions introduced in the previous release
+    candidate versions along with a fix for XTEST emulation with EI.
+    + xwayland: Send ei_device_frame on device_scroll_discrete
+    + xwayland: Restore the ResizeWindow handler
+    + xwayland: Handle rootful resize in ResizeWindow
+    + xwayland: Move XRandR emulation to the ResizeWindow hook
+    + xwayland: Use correct xwl_window lookup function in xwl_set_shape
+- eglstreams has been dropped
+
+-------------------------------------------------------------------
+Wed May 15 17:14:44 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to bug fix relesae 23.2.7
+  * m4: drop autoconf leftovers
+  * xwayland: Send ei_device_frame on device_scroll_discrete
+  * xwayland: Call drmFreeDevice for dma-buf default feedback
+  * xwayland: Use drmDevicesEqual in xwl_dmabuf_feedback_tranche_done
+  * dri3: Free formats in cache_formats_and_modifiers
+  * xwayland/glamor: Handle depth 15 in gbm_format_for_depth
+  * Revert "xwayland/glamor: Avoid implicit redirection with depth 32 parent windows"
+  * xwayland: Check for outputs before lease devices
+  * xwayland: Do not remove output on withdraw if leased
+
+-------------------------------------------------------------------
+Tue Apr  9 13:30:07 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to 23.2.6
+  * This is a quick bug fix release to address a regression
+    introduced by the fix for CVE-2024-31083 in xwayland-23.2.5.
+
+-------------------------------------------------------------------
+Thu Apr  4 08:07:32 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- Security update 23.2.5 
+  This release contains the 3 security fixes that actually apply to
+  Xwayland reported in the security advisory of April 3rd 2024
+  * CVE-2024-31080
+  * CVE-2024-31081
+  * CVE-2024-31083
+  Additionally, it also contains a couple of other fixes, a copy/paste
+  error in the DeviceStateNotify event and a fix to enable buttons with
+  pointer gestures for backward compatibility with legacy X11 clients.
+
+-------------------------------------------------------------------
+Thu Feb 15 17:13:03 UTC 2024 - Joan Torres <joan.torres@suse.com>
+
+- Don't provide xorg-x11-server-source
+  * xwayland sources are not meant for a generic server.
+  * https://github.com/TigerVNC/tigervnc/issues/1728
+
+-------------------------------------------------------------------
+Thu Feb 15 10:41:13 UTC 2024 - Joan Torres <joan.torres@suse.com>
+
+- Provide xorg-x11-server-source from xwayland
+  * xwayland will be more updated than xorg-x11-server, so the server sources 
+    will be more updated too if are provided by xwayland.
+  * Fixes bsc#1219892.
 
 -------------------------------------------------------------------
 Wed Jan 17 10:20:50 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

xwayland.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package xwayland
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,15 +16,13 @@
 #
 
 
-%define have_wayland_eglstream 1
-
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir /var/adm/fillup-templates
 %endif
 
 Name:           xwayland
-Version:        23.2.4
+Version:        24.1.6
 Release:        0
 URL:            http://xorg.freedesktop.org
 Summary:        Xwayland Xserver
@@ -33,10 +31,13 @@ Group:          System/X11/Servers/XF86_4
 Source0:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz
 Source1:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig
 Source2:        xwayland.keyring
-Patch1222309:   U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
-Patch1222310:   U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
-Patch1222312:   U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
-Patch1222442:   U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+Patch1244082:   U_CVE-2025-49175-render-Avoid-0-or-less-animated-cursors.patch
+Patch1244084:   U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
+Patch1244085:   U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
+Patch1244087:   U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
+Patch1244089:   U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
+Patch1244090:   U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
+Patch1244092:   U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
 BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig
@@ -45,7 +46,7 @@ BuildRequires:  pkgconfig(bigreqsproto)
 BuildRequires:  pkgconfig(compositeproto)
 BuildRequires:  pkgconfig(damageproto)
 BuildRequires:  pkgconfig(dri)
-BuildRequires:  pkgconfig(dri3proto)
+BuildRequires:  pkgconfig(dri3proto) >= 1.4
 BuildRequires:  pkgconfig(epoxy)
 BuildRequires:  pkgconfig(fixesproto)
 BuildRequires:  pkgconfig(fontsproto)
@@ -67,7 +68,7 @@ BuildRequires:  pkgconfig(libtirpc)
 BuildRequires:  pkgconfig(libxcvt)
 BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(pixman-1)
-BuildRequires:  pkgconfig(presentproto)
+BuildRequires:  pkgconfig(presentproto) >= 1.4
 BuildRequires:  pkgconfig(randrproto)
 BuildRequires:  pkgconfig(recordproto)
 BuildRequires:  pkgconfig(renderproto)
@@ -75,10 +76,7 @@ BuildRequires:  pkgconfig(resourceproto)
 BuildRequires:  pkgconfig(scrnsaverproto)
 BuildRequires:  pkgconfig(videoproto)
 BuildRequires:  pkgconfig(wayland-client) >= 1.21.0
-BuildRequires:  pkgconfig(wayland-protocols)
-%if 0%{?have_wayland_eglstream} == 1
-BuildRequires:  pkgconfig(wayland-eglstream-protocols)
-%endif
+BuildRequires:  pkgconfig(wayland-protocols) >= 1.34
 BuildRequires:  pkgconfig(xau)
 BuildRequires:  pkgconfig(xcb)
 BuildRequires:  pkgconfig(xcb-damage)
@@ -109,6 +107,7 @@ Requires:       libpixman-1-0
 %endif
 Obsoletes:      xorg-x11-server-wayland < %{version}
 Provides:       xorg-x11-server-wayland = %{version}
+Conflicts:      patterns-wsl-tmpfiles
 
 %description
 This package contains the Xserver running on the Wayland Display Server.
@@ -135,9 +134,6 @@ This package contains the Xwayland Server development files.
 %build
 %{meson} \
    -Dglamor=true \
-%if 0%{?have_wayland_eglstream} == 1
-   -Dxwayland_eglstream=true \
-%endif
    -Dxvfb=true \
    -Dglx=true \
    -Dxdmcp=true \
@@ -151,7 +147,9 @@ This package contains the Xwayland Server development files.
    -Dlisten_tcp=false \
    -Dlisten_unix=true \
    -Dlisten_local=true \
-   -Ddpms=true \
+%if 0%{?suse_version} < 1550
+   -Ddpms=false \
+%endif
    -Dxf86bigfont=true \
    -Dscreensaver=true \
    -Dxres=true \