Stefan Dirsch
f15e897874
U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907
44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Wed, 4 Dec 2024 15:49:43 +1000
|
|
Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
|
|
|
|
CreateCursor returns a cursor with refcount 1 - that refcount is used by
|
|
the resource system, any caller needs to call RefCursor to get their own
|
|
reference. That happens correctly for normal cursors but for our
|
|
rootCursor we keep a variable to the cursor despite not having a ref for
|
|
ourselves.
|
|
|
|
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
|
|
valid.
|
|
|
|
Related to CVE-2025-26594, ZDI-CAN-25544
|
|
|
|
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
---
|
|
dix/main.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
Index: xorg-server-21.1.14/dix/main.c
|
|
===================================================================
|
|
--- xorg-server-21.1.14.orig/dix/main.c
|
|
+++ xorg-server-21.1.14/dix/main.c
|
|
@@ -233,6 +233,8 @@ dix_main(int argc, char *argv[], char *e
|
|
FatalError("could not open default cursor font");
|
|
}
|
|
|
|
+ rootCursor = RefCursor(rootCursor);
|
|
+
|
|
#ifdef PANORAMIX
|
|
/*
|
|
* Consolidate window and colourmap information for each screen
|
|
@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *e
|
|
|
|
Dispatch();
|
|
|
|
+ UnrefCursor(rootCursor);
|
|
+
|
|
UndisplayDevices();
|
|
DisableAllDevices();
|
|
|