pool/xwayland
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xwayland/U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch

44 lines
1.4 KiB
Diff
Raw Normal View History

- Update to version 24.1.6: * This release contains the fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601. * Additionally, it reverts a recent Xkb change to fix an issue with gamescope. - Drop patches fixed upstream: * U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch * U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch * U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch * U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch * U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch * U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=100
2025-02-26 18:05:32 +00:00
From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Wed, 4 Dec 2024 15:49:43 +1000
Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.
Related to CVE-2025-26594, ZDI-CAN-25544
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
---
dix/main.c | 4 ++++
1 file changed, 4 insertions(+)
Index: xwayland-24.1.4/dix/main.c
===================================================================
--- xwayland-24.1.4.orig/dix/main.c
+++ xwayland-24.1.4/dix/main.c
@@ -234,6 +234,8 @@ dix_main(int argc, char *argv[], char *e
FatalError("could not open default cursor font");
}
+ rootCursor = RefCursor(rootCursor);
+
#ifdef PANORAMIX
/*
* Consolidate window and colourmap information for each screen
@@ -274,6 +276,8 @@ dix_main(int argc, char *argv[], char *e
Dispatch();
+ UnrefCursor(rootCursor);
+
UndisplayDevices();
DisableAllDevices();
Reference in New Issue Copy Permalink