commit 6c10e3edc43df4aed024828fedd8f45c857a319af967536017254cee7d39e9e1 Author: Stefan Dirsch Date: Tue Feb 25 18:13:24 2025 +0000 - U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=98 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch b/U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch new file mode 100644 index 0000000..127e991 --- /dev/null +++ b/U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch @@ -0,0 +1,49 @@ +From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Dänzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: xwayland-24.1.4/dix/dispatch.c +=================================================================== +--- xwayland-24.1.4.orig/dix/dispatch.c ++++ xwayland-24.1.4/dix/dispatch.c +@@ -3106,6 +3106,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } diff --git a/U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch b/U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch new file mode 100644 index 0000000..d51fd16 --- /dev/null +++ b/U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch @@ -0,0 +1,43 @@ +From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: xwayland-24.1.4/dix/main.c +=================================================================== +--- xwayland-24.1.4.orig/dix/main.c ++++ xwayland-24.1.4/dix/main.c +@@ -234,6 +234,8 @@ dix_main(int argc, char *argv[], char *e + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -274,6 +276,8 @@ dix_main(int argc, char *argv[], char *e + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + diff --git a/U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch b/U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch new file mode 100644 index 0000000..be4a552 --- /dev/null +++ b/U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch @@ -0,0 +1,57 @@ +From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +Index: xwayland-24.1.4/xkb/xkbtext.c +=================================================================== +--- xwayland-24.1.4.orig/xkb/xkbtext.c ++++ xwayland-24.1.4/xkb/xkbtext.c +@@ -174,14 +174,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); diff --git a/U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch b/U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch new file mode 100644 index 0000000..7e6871f --- /dev/null +++ b/U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch @@ -0,0 +1,41 @@ +From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Index: xwayland-24.1.4/xkb/xkb.c +=================================================================== +--- xwayland-24.1.4.orig/xkb/xkb.c ++++ xwayland-24.1.4/xkb/xkb.c +@@ -1092,10 +1092,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMap + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; diff --git a/U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch b/U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch new file mode 100644 index 0000000..1d028b8 --- /dev/null +++ b/U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch @@ -0,0 +1,38 @@ +From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +Index: xwayland-24.1.4/xkb/XKBMisc.c +=================================================================== +--- xwayland-24.1.4.orig/xkb/XKBMisc.c ++++ xwayland-24.1.4/xkb/XKBMisc.c +@@ -552,6 +552,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + diff --git a/U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch b/U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch new file mode 100644 index 0000000..f09d0f1 --- /dev/null +++ b/U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch @@ -0,0 +1,112 @@ +From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH xserver] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +Index: xwayland-24.1.4/Xi/xibarriers.c +=================================================================== +--- xwayland-24.1.4.orig/Xi/xibarriers.c ++++ xwayland-24.1.4/Xi/xibarriers.c +@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(str + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -738,6 +751,8 @@ static void remove_master_func(void *res + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr cl + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; diff --git a/U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch b/U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch new file mode 100644 index 0000000..e4ef9bf --- /dev/null +++ b/U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch @@ -0,0 +1,59 @@ +From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in + compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: xwayland-24.1.4/composite/compalloc.c +=================================================================== +--- xwayland-24.1.4.orig/composite/compalloc.c ++++ xwayland-24.1.4/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, Wi + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, Wi + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void diff --git a/U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch b/U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch new file mode 100644 index 0000000..c34bd3e --- /dev/null +++ b/U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch @@ -0,0 +1,121 @@ +From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH xserver 2/2] composite: initialize border clip even when + pixmap alloc fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +Index: xwayland-24.1.4/composite/compalloc.c +=================================================================== +--- xwayland-24.1.4.orig/composite/compalloc.c ++++ xwayland-24.1.4/composite/compalloc.c +@@ -606,9 +606,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -622,14 +625,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void diff --git a/U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch b/U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch new file mode 100644 index 0000000..59c6024 --- /dev/null +++ b/U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch @@ -0,0 +1,61 @@ +From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on + removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +Index: xwayland-24.1.4/dix/devices.c +=================================================================== +--- xwayland-24.1.4.orig/dix/devices.c ++++ xwayland-24.1.4/dix/devices.c +@@ -981,6 +981,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1045,6 +1062,7 @@ CloseDevice(DeviceIntPtr dev) + valuator_mask_free(&dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } diff --git a/U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch b/U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch new file mode 100644 index 0000000..9f53ea9 --- /dev/null +++ b/U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch @@ -0,0 +1,66 @@ +From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index b6417b3b0..4267d3af6 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +2.48.1 + diff --git a/U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch b/U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch new file mode 100644 index 0000000..67532d8 --- /dev/null +++ b/U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch @@ -0,0 +1,80 @@ +From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH xserver 2/4] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 4267d3af6..4eab5a6ac 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +2.48.1 + diff --git a/U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch b/U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch new file mode 100644 index 0000000..f3071e1 --- /dev/null +++ b/U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch @@ -0,0 +1,47 @@ +From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 4eab5a6ac..c36de1a2e 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +2.48.1 + diff --git a/U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch b/U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch new file mode 100644 index 0000000..7fd53f7 --- /dev/null +++ b/U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch @@ -0,0 +1,128 @@ +From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH xserver 4/4] sync: Apply changes last in + SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index c36de1a2e..e282e6657 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +2.48.1 + diff --git a/xwayland-24.1.0.tar.xz b/xwayland-24.1.0.tar.xz new file mode 100644 index 0000000..91cec6d --- /dev/null +++ b/xwayland-24.1.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bef21c4f18807a4ed571c4e2df60ab63b5466bbd502ecceb2485b892ab76dcc2 +size 1301180 diff --git a/xwayland-24.1.0.tar.xz.sig b/xwayland-24.1.0.tar.xz.sig new file mode 100644 index 0000000..5b16fe5 Binary files /dev/null and b/xwayland-24.1.0.tar.xz.sig differ diff --git a/xwayland-24.1.1.tar.xz b/xwayland-24.1.1.tar.xz new file mode 100644 index 0000000..b5804b3 --- /dev/null +++ b/xwayland-24.1.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7125bee0b10335805d7f5ba57dfaa359a7850af1a68524f1d97b362741a51832 +size 1301652 diff --git a/xwayland-24.1.1.tar.xz.sig b/xwayland-24.1.1.tar.xz.sig new file mode 100644 index 0000000..dcfb07e Binary files /dev/null and b/xwayland-24.1.1.tar.xz.sig differ diff --git a/xwayland-24.1.3.tar.xz b/xwayland-24.1.3.tar.xz new file mode 100644 index 0000000..9d34443 --- /dev/null +++ b/xwayland-24.1.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dcdb57a66cc9b124c8f936760592628ac4e744a7d7b3179aa86189ad7ea4cb10 +size 1302164 diff --git a/xwayland-24.1.3.tar.xz.sig b/xwayland-24.1.3.tar.xz.sig new file mode 100644 index 0000000..f8868b9 Binary files /dev/null and b/xwayland-24.1.3.tar.xz.sig differ diff --git a/xwayland-24.1.4.tar.xz b/xwayland-24.1.4.tar.xz new file mode 100644 index 0000000..0f1013f --- /dev/null +++ b/xwayland-24.1.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d96a78dbab819f55750173444444995b5031ebdcc15b77afebbd8dbc02af34f4 +size 1302372 diff --git a/xwayland-24.1.4.tar.xz.sig b/xwayland-24.1.4.tar.xz.sig new file mode 100644 index 0000000..373fbe8 Binary files /dev/null and b/xwayland-24.1.4.tar.xz.sig differ diff --git a/xwayland-24.1.5.tar.xz b/xwayland-24.1.5.tar.xz new file mode 100644 index 0000000..1e717e1 --- /dev/null +++ b/xwayland-24.1.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb4bd170e6fa6b545ba0567be8f693d2eeccfc62d04c67037dd14f06daad361d +size 1302484 diff --git a/xwayland-24.1.5.tar.xz.sig b/xwayland-24.1.5.tar.xz.sig new file mode 100644 index 0000000..c8649fa Binary files /dev/null and b/xwayland-24.1.5.tar.xz.sig differ diff --git a/xwayland.changes b/xwayland.changes new file mode 100644 index 0000000..52eda90 --- /dev/null +++ b/xwayland.changes @@ -0,0 +1,729 @@ +------------------------------------------------------------------- +Tue Feb 25 18:08:33 UTC 2025 - Stefan Dirsch + +- U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch + U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch + * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) +- U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch + * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) +- U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch + * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) +- U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch + * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) +- U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch + * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) +- U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch + U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch + * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) +- U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch + * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) +- U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch + U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch + U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch + U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch + * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) + +------------------------------------------------------------------- +Thu Feb 6 11:54:10 UTC 2025 - Stefan Dirsch + +- Update to 24.1.5 + * os: NextDPMSTimeout: mark intentional fallthroughs in switch + * Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL + * render: avoid NULL pointer dereference if PictureFindVisual returns NULL + * dix: fix button offset when generating DeviceButtonStateNotify events + * dix: limit checks to MAX_VALUATORS when generating Xi events + * dix-config.h: add HAVE_SOCKLEN_T definition + * xwayland: copy repeat settings from the compositor map + * xwayland: Don't run key behaviors and actions + * xwayland/glamor/gbm: Don't close fence_fd after xwl_glamor_wait_fence + * xwayland/present: Check allow_commits in xwl_present_flip + * xwayland/glamor: Drop expecting_event bailing from xwl_drm_handle_device + * xwayland: Always decrement expecting_event in xwl_output_create + * xwayland/glamor: Clean-up GBM's screen private on failure + * xwayland: Do not keep the cursor's pixmap around + * xkb: Always use MAP_LENGTH keymap size + * os/connection: Make sure partial is initialized + * xwayland/glamor: Disable GLAMOR after GBM cleanup + * glamor: return the result of gbm_format_for_depth + * glamor: use gbm_format_for_depth instead of open-coding it + * glamor: reject configs using unsupported rgbBits size + * xwayland: prevent potential null pointer dereference + +------------------------------------------------------------------- +Tue Oct 29 19:29:21 UTC 2024 - Stefan Dirsch + +- Security update 24.1.4 + This release addresses the following security issue + * CVE-2024-9632: Heap-based buffer overflow privilege escalation + in _XkbSetCompatMap (bsc#1231565) + +------------------------------------------------------------------- +Thu Oct 3 21:35:10 UTC 2024 - Stefan Dirsch + +- Update to bugfix release 24.1.3 + * dix: check for calloc() failure in Xi event conversion routines + * dix: PolyText: fully initialize local_closure + * dix: SetFontPath: don't set errorValue on Success + * dix: enterleave.c: fix implicit fallthrough warnings + * dix: CreateScratchGC: avoid dereference of pointer we just set to NULL + * dix: InitPredictableAccelerationScheme: avoid memory leak on failure + * dix: dixChangeWindowProperty: don't call memcpy if malloc failed + * dix: ProcListProperties: skip unneeded work if numProps is 0 + * dix: HashResourceID: use unsigned integers for bit shifting + * dix: GetPairedDevice: check if GetMaster returned NULL + * dix: FindBestPixel: fix implicit fallthrough warning + * CI: clone libdecor from fd.o instead of gnome.org + * CI: update libdecor from 0.1.0 to 0.1.1 + * Don't crash if the client argv or argv[0] is NULL. + * Return NULL in *cmdname if the client argv or argv[0] is NULL + * xwayland: connect to the wl display before calling into EGL + * xwayland: Report correct mode size when rootful + * build: Move epoll dependency check + * build: Add epoll to Xwayland for DragonFly and OpenBSD + * build: Fix DRI3 on DragonFly and OpenBSD + * os: Fix NULL pointer dereference + * dix: don't push the XKB state to a non-existing master keyboard + * Xi: when removing a master search for a disabled paired device + +------------------------------------------------------------------- +Tue Sep 24 11:24:48 UTC 2024 - Stefan Dirsch + +- added conflicts to patterns-wsl-tmpfiles as this patterns package + creates a symlink from /tmp/.X11-unix to /mnt/wslg/.X11-unix and + therefore prevents Xwayland from creating this needed directory + (bsc#1230755) + +------------------------------------------------------------------- +Sat Aug 24 20:14:05 UTC 2024 - Stefan Dirsch + +- Update to bugfix release 24.1.2 + * This release addresses several issues, including the first + events being skipped with input emulation using libEI or a fix + with rendering using the UYVY format with the X-Video extension + using GLAMOR. + +------------------------------------------------------------------- +Thu Jul 11 13:46:12 UTC 2024 - Stefan Dirsch + +- added version specific requirements for dri3proto, presentproto + and wayland-protocols + +------------------------------------------------------------------- +Thu Jul 11 13:17:54 UTC 2024 - Stefan Dirsch + +- This supersedes the following patches + * U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch + * U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch + * U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch + * U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch + which fixed security issues + * CVE-2024-31080 (bsc#1222309) + * CVE-2024-31081 (bsc#1222310) + * CVE-2024-31083 (bsc#1222312) + and a regression due to a security fix for CVE-2024-31083 (bsc#1222312, + boo#1222442, gitlab xserver issue #1659) + +------------------------------------------------------------------- +Thu Jul 11 11:43:22 UTC 2024 - Stefan Dirsch + +- Update to bugfix release 24.1.1 for the current stable 24.1 + branch of Xwayland + * xwayland: fix segment fault in `xwl_glamor_gbm_init_main_dev` + * os: Explicitly include X11/Xmd.h for CARD32 definition to fix + building on i686 + * present: On *BSD, epoll-shim is needed to emulate eventfd() + * xwayland: Stop on first unmapped child + * xwayland/window-buffers: Promote xwl_window_buffer + * xwayland/window-buffers: Add xwl_window_buffer_release() + * xwayland/glamor/gbm: Copy explicit sync code to GLAMOR/GBM + * xwayland/window-buffers: Use synchronization from GLAMOR/GBM + * xwayland/window-buffers: Do not always set syncpnts + * xwayland/window-buffers: Move code to submit pixmaps + * xwayland/window-buffers: Set syncpnts for all pixmaps + * xwayland: Move xwl_window disposal to its own function + * xwayland: Make sure we do not leak xwl_window on destroy + * wayland/window-buffers: Move buffer disposal to its own function + * xwayland/window-buffers: optionally force disposal + * wayland: Force disposal of windows buffers for root on destroy + * xwayland: Check for pointer in xwl_seat_leave_ptr() + * xwayland: remove includedir from pkgconfig + +------------------------------------------------------------------- +Wed Jun 5 11:27:13 UTC 2024 - Stefan Dirsch + +- disable DPMS on sle15 due to missing proto package + +------------------------------------------------------------------- +Wed May 15 17:19:45 UTC 2024 - Stefan Dirsch + +- Update to feature release 24.1.0 + * This fixes a couple of regressions introduced in the previous release + candidate versions along with a fix for XTEST emulation with EI. + + xwayland: Send ei_device_frame on device_scroll_discrete + + xwayland: Restore the ResizeWindow handler + + xwayland: Handle rootful resize in ResizeWindow + + xwayland: Move XRandR emulation to the ResizeWindow hook + + xwayland: Use correct xwl_window lookup function in xwl_set_shape +- eglstreams has been dropped + +------------------------------------------------------------------- +Wed May 15 17:14:44 UTC 2024 - Stefan Dirsch + +- Update to bug fix relesae 23.2.7 + * m4: drop autoconf leftovers + * xwayland: Send ei_device_frame on device_scroll_discrete + * xwayland: Call drmFreeDevice for dma-buf default feedback + * xwayland: Use drmDevicesEqual in xwl_dmabuf_feedback_tranche_done + * dri3: Free formats in cache_formats_and_modifiers + * xwayland/glamor: Handle depth 15 in gbm_format_for_depth + * Revert "xwayland/glamor: Avoid implicit redirection with depth 32 parent windows" + * xwayland: Check for outputs before lease devices + * xwayland: Do not remove output on withdraw if leased + +------------------------------------------------------------------- +Tue Apr 9 13:30:07 UTC 2024 - Stefan Dirsch + +- Update to 23.2.6 + * This is a quick bug fix release to address a regression + introduced by the fix for CVE-2024-31083 in xwayland-23.2.5. + +------------------------------------------------------------------- +Thu Apr 4 08:07:32 UTC 2024 - Stefan Dirsch + +- Security update 23.2.5 + This release contains the 3 security fixes that actually apply to + Xwayland reported in the security advisory of April 3rd 2024 + * CVE-2024-31080 + * CVE-2024-31081 + * CVE-2024-31083 + Additionally, it also contains a couple of other fixes, a copy/paste + error in the DeviceStateNotify event and a fix to enable buttons with + pointer gestures for backward compatibility with legacy X11 clients. + +------------------------------------------------------------------- +Thu Feb 15 17:13:03 UTC 2024 - Joan Torres + +- Don't provide xorg-x11-server-source + * xwayland sources are not meant for a generic server. + * https://github.com/TigerVNC/tigervnc/issues/1728 + +------------------------------------------------------------------- +Thu Feb 15 10:41:13 UTC 2024 - Joan Torres + +- Provide xorg-x11-server-source from xwayland + * xwayland will be more updated than xorg-x11-server, so the server sources + will be more updated too if are provided by xwayland. + * Fixes bsc#1219892. + +------------------------------------------------------------------- +Wed Jan 17 10:20:50 UTC 2024 - Stefan Dirsch + +- This release contains also the following patches mentioned in + previous sle15 releases + * bsc1218582-0001-dix-allocate-enough-space-for-logical-button-maps.patch + * bsc1218583-0001-dix-Allocate-sufficient-xEvents-for-our-DeviceStateN.patch + * bsc1218583-0002-dix-fix-DeviceStateNotify-event-calculation.patch + * bsc1218583-0003-Xi-when-creating-a-new-ButtonClass-set-the-number-of.patch + * bsc1218584-0001-Xi-flush-hierarchy-events-after-adding-removing-mast.patch + * bsc1218585-0001-Xi-do-not-keep-linked-list-pointer-during-recursion.patch + * bsc1218585-0002-dix-when-disabling-a-master-float-disabled-slaved-de.patch + +------------------------------------------------------------------- +Tue Jan 16 21:03:25 UTC 2024 - Stefan Dirsch + +- This release contains also the missing fixes of initial + U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + (bsc#1217765) + +------------------------------------------------------------------- +Tue Jan 16 13:03:16 UTC 2024 - Stefan Dirsch + +- Update to version 23.2.4 + * This release contains fixes for the issues reported in today's + security advisory: + https://lists.x.org/archives/xorg/2024-January/061525.html + + * CVE-2023-6816 (bsc#1218582) + * CVE-2024-0229 (bsc#1218583) + * CVE-2024-21885 (bsc#1218584) + * CVE-2024-21886 (bsc#1218585) + * CVE-2024-0408 + * CVE-2024-0409 +- supersedes the patches mentioned below: + * U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + +------------------------------------------------------------------- +Mon Dec 4 18:33:56 UTC 2023 - Stefan Dirsch + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + +------------------------------------------------------------------- +Fri Nov 24 10:29:56 UTC 2023 - Stefan Dirsch + +- This release contains the following patches mentioned in previous + sle15 releases + * U_Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch: + fixes regression introduced with security update for + CVE-2022-46340 (bsc#1205874) + * U_bsc1216135-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch: + fix handling of PropModeAppend/Prepend ((CVE-2023-5367, ZDI-CAN-22153, + bsc#1216135) + * U_bsc1216261-0001-mi-fix-CloseScreen-initialization-order.patch, + U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch: + Server Damage Object Use-After-Free Local Privilege Escalation + Vulnerability (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261) + * U_bsc1216261-0003-dix-always-initialize-pScreen-CloseScreen.patch: + fixes a regresion, which can trigger a segfault in Xwayland on + exit, introduced by + U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch + (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261) + +------------------------------------------------------------------- +Wed Oct 25 10:39:17 UTC 2023 - Stefan Dirsch + +- Update to version 23.2.2 + * This release contains the fix for CVE-2023-5367 and CVE-2023-5574 + in today's security advisory: + https://lists.x.org/archives/xorg-announce/2023-October/003430.html + Xwayland does not support multiple protocol screens (Zaphod) and is thus + not affected by CVE-2023-5380. + * Additionally, there is a change in the default behaviour of Xwayland: + Since version 23.2.0 Xwayland (via liboeffis) automatically tries to + connect to the XDG Desktop Portal's RemoteDesktop interface to obtain + the EI socket. That socket is used to send XTest events to the + compositor. + * However, the connection to the session-wide Portal is unsuitable when + Xwayland is running in a nested compositor. Xwayland cannot tell whether + it's running on a nested compositor and to keep backwards compatibility + with Xwayland prior to 23.2.0, Xwayland must now be started with + "-enable-ei-portal" to connect to the portal. + * Compositors (who typically spawn Xwayland rootless) must now pass this + option to get the same behaviour as 23.2.x. + * Finally, Xwayland now uses libbsd-overlay instead of libbsd. + +------------------------------------------------------------------- +Wed Sep 20 08:53:56 UTC 2023 - Stefan Dirsch + +- Update to version 23.2.1: + * glamor: Ignore destination alpha as necessary for composite operation + * xtest: Check whether there is a sendEventsProc to call +- supersedes xwayland-glamor-Ignore-destination-alpha-as-necessary-for-com.patch + +------------------------------------------------------------------- +Mon Sep 18 15:22:57 UTC 2023 - Joan Torres + +- xwayland-glamor-Ignore-destination-alpha-as-necessary-for-com.patch + * Fix when vncviewer fades to white on xwayland (bsc#1215385, + https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1154) + +------------------------------------------------------------------ +Sat Aug 26 04:14:45 UTC 2023 - Stefan Dirsch + +- enable libei and libdecor only for TW, since it does not exist + yet on sle15-sp5 + +------------------------------------------------------------------- +Thu Aug 17 08:39:53 UTC 2023 - Bjørn Lie + +- Update to version 23.2.0: + * Optional support for emulated input (EI) via the libei library, + support for the tearing control protocol, and the XWayland + rootful mode is now resizable with libdecor. +- Add pkgconfig(libei-1.0) BuildRequires, build new optional + emulated input support. +- Add pkgconfig(libdecor-0) BuildRequires, build optional CSD + support. + +------------------------------------------------------------------- +Sat Jun 10 11:23:26 UTC 2023 - Stefan Dirsch + +- Update to version 23.1.2 + * This release includes improved DMA-BUF v4 feedback support for + direct scanout, relaxed CVT modes for non-standard modes, fixes + for the CHERI/Morello platform and other various fixes. + +------------------------------------------------------------------- +Sat Apr 1 11:35:04 UTC 2023 - Bjørn Lie + +- Update to version 23.1.1 (CVE-2023-1393): + + This release contains the fix for CVE-2023-1393. + + xkbUtils: use existing symbol names instead of deleted + deprecated ones + + glamor: Don't glFlush/ctx switch unless any work has been + performed + + xwayland: + - Refactor xwl_present_for_each_frame_callback helper + - Prevent nested xwl_present_for_each_frame_callback calls + + composite: Fix use-after-free of the COW +- Drop U_xserver-composite-Fix-use-after-free-of-the-COW.patch: + Fixed upstream. + +------------------------------------------------------------------- +Thu Mar 23 12:32:18 UTC 2023 - Stefan Dirsch + +- U_xserver-composite-Fix-use-after-free-of-the-COW.patch + * overlay window use-after-free (CVE-2023-1393, ZDI-CAN-19866, + bsc#1209543) + +------------------------------------------------------------------- +Wed Mar 22 17:57:02 UTC 2023 - Bjørn Lie + +- Update to version 23.1.0: + * test: Use either wayland-info or weston-info. +- Changes from version 23.1.0.rc2: + * A regression with keymaps which were not applied anymore. + * Various regressions with DRM format modifiers. +- Changes from version 23.1.0.rc1: + * Support for linux_dmabuf v4 protocol. + * Support for wl_pointer.axis_v120 (high-resolution scrolling). + * Support for xwayland_shell protocol. + * Improved "rootful" mode for using Xwayland as a nested Xserver. + * Improved emulated XRandR support exposing the output names. + * Support for byte-swapped clients is now disabled by default. + +------------------------------------------------------------------- +Tue Feb 7 14:29:21 UTC 2023 - Stefan Dirsch + +- Update to version 22.1.8 + * This release contains the fix for CVE-2023-0494 in today's + security advisory: + https://lists.x.org/archives/xorg-announce/2023-February/003320.html + * It also fixes a second possible OOB access during EnqueueEvent. +- supersedes U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch + +------------------------------------------------------------------- +Thu Feb 2 15:39:06 UTC 2023 - Stefan Dirsch + +- improved summary and description +- added requires to xkeyboard-config +- added recommends to xorg-x11-fonts-core +- removed unused 'package' section + +------------------------------------------------------------------- +Wed Feb 1 10:06:15 UTC 2023 - Stefan Dirsch + +- U_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch + * DeepCopyPointerClasses use-after-free (CVE-2023-0494, + ZDI-CAN-19596, bsc#1207783) + +------------------------------------------------------------------- +Sat Dec 31 15:51:38 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.7 + * This release fixes an invalid event type mask in + XTestSwapFakeInput which was inadvertently changed from octal + 0177 to hexadecimal 0x177 in the fix for CVE-2022-46340. + +------------------------------------------------------------------- +Thu Dec 15 15:15:47 UTC 2022 - Bjørn Lie + +- Update to version 22.1.6: + * Fixes CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, + CVE-2022-46343, CVE-2022-46344, CVE-2022-4283. + * Xtest: disallow GenericEvents in XTestSwapFakeInput + * Xi: disallow passive grabs with a detail > 255 + * Xext: free the XvRTVideoNotify when turning off from the same + client + * Xext: free the screen saver resource when replacing it + * Xi: return an error from XI property changes if verification + failed + * Xi: avoid integer truncation in length check of + ProcXIChangeProperty + * xkb: reset the radio_groups pointer to NULL after freeing it +- Drop patches fixed upstream: + * U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch + * U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch + * U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch + * U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch + * U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch + * U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch + * U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch + +------------------------------------------------------------------- +Tue Dec 6 14:30:52 UTC 2022 - Stefan Dirsch + +- U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch + * XkbGetKbdByName use-after-free (ZDI-CAN-19530, CVE-2022-4283, + bsc#1206017) + +------------------------------------------------------------------- +Wed Nov 30 15:02:57 UTC 2022 - Stefan Dirsch + +- U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch + * Server XTestSwapFakeInput stack overflow (ZDI-CAN 19265, + CVE-2022-46340, bsc#1205874) +- U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch + * Xi: return an error from XI property changes if verification + failed (no ZDI-CAN id, no CVE id, bsc#1205875) +- U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch + * Server XIChangeProperty out-of-bounds access (ZDI-CAN 19405, + CVE-2022-46344, bsc#1205876) +- U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch + * Server XIPassiveUngrabDevice out-of-bounds access (ZDI-CAN 19381, + CVE-2022-46341, bsc#1205877) +- U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch + * Server ScreenSaverSetAttributes use-after-free (ZDI-CAN 19404, + CVE-2022-46343, bsc#1205878) +- U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch + * Server XvdiSelectVideoNotify use-after-free (ZDI-CAN 19400, + CVE-2022-46342, bsc#1205879) + +------------------------------------------------------------------- +Wed Nov 2 11:27:06 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.5 + * This is a follow-up release to address a couple of regressions + which found their way into the recent xwayland-22.1.4 release, + namely: + + Double scroll wheel events with some Wayland compositors + https://gitlab.freedesktop.org/xorg/xserver/-/issues/1392 + + Key keeps repeating when a window is closed while a key is pressed + https://gitlab.freedesktop.org/xorg/xserver/-/issues/1395 +- supersedes U_Do-not-ignore-leave-events.patch + +------------------------------------------------------------------- +Mon Oct 24 13:50:22 UTC 2022 - Stefan Dirsch + +- U_Do-not-ignore-leave-events.patch + * fixes xwayland issue#1397, issue#1395 + +------------------------------------------------------------------- +Thu Oct 20 11:50:17 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.4 + * xwayland: Aggregate scroll axis events to fix kinetic scrolling + * Forbid server grabs by non-WM on *rootless* XWayland + * xkb: Avoid length-check failure on empty strings. + * ci: remove redundant slash in libxcvt repository url + * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY + * dix: Fix overzealous caching of ResourceClientBits() + * xwayland: Prevent Xserver grabs with rootless + * xwayland: Delay wl_surface destruction + * build: Bump wayland requirement to 1.18 + * xwayland: set tag on our surfaces + * xwayland: Clear the "xwl-window" tag on unrealize + * xwayland: correct the type for the discrete scroll events + * xkb: fix some possible memleaks in XkbGetKbdByName + * xkb: length-check XkbGetKbdByName before accessing the fields + * xkb: length-check XkbListComponents before accessing the fields + * xkb: proof GetCountedString against request length attacks +- supersedes security patches: + * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + * U_xkb-proof-GetCountedString-against-request-length-at.patch + +------------------------------------------------------------------- +Wed Oct 19 11:19:40 UTC 2022 - Stefan Dirsch + +- U_xkb-proof-GetCountedString-against-request-length-at.patch + * security update for CVE-2022-3550 (bsc#1204412) +- U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + * security update for CVE-2022-3551 (bsc#1204416) + +------------------------------------------------------------------- +Tue Jul 12 14:22:22 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.3 + * os: print if unw_is_signal_frame() + * os: print registers in the libunwind version of xorg_backtrace() + * xwayland/present: Do not send two idle notify events for flip pixmaps + * xwayland: Fix check logic in sprite_check_lost_focus() + * xwayland: Change randr_output status when call xwl_output_remove() + * xkb: switch to array index loops to moving pointers + * xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck + * xkb: add request length validation for XkbSetGeometry + +------------------------------------------------------------------- +Wed May 25 10:03:50 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.2 + * randr: Add "RANDR Emulation" property + * xwayland/output: Set the "RANDR Emulation" property + * xwayland: Fix invalid pointer access in drm_lease_device_handle_released. + +------------------------------------------------------------------- +Thu Mar 31 09:21:36 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.1 + * xwayland: Clear timer_armed in xwl_present_unrealize_window + * xwayland: Always hook up frame_callback_list in xwl_present_queue_vblank + * Xwayland: Do not map the COW by default when rootless + * xwayland/present: Fix use-after-free in xwl_unrealize_window() + +------------------------------------------------------------------- +Wed Feb 16 15:39:59 UTC 2022 - Stefan Dirsch + +- Update to version 22.1.0 + * xwayland: Fix cursor color + +------------------------------------------------------------------- +Thu Feb 3 04:48:43 UTC 2022 - Bjørn Lie + +- Update to version 22.0.99.902 + * render: Fix build with gcc 12 + +------------------------------------------------------------------- +Thu Jan 20 17:59:50 UTC 2022 - Bjørn Lie + +- Update to version 22.0.99.901 + * DRM lease support + * Enables sRGB fbconfigs in GLX + * Requires libxcvt + * Refactoring of the present code in Xwayland + * Implements support for touchpad gestures + * Support for xfixes's ClientDisconnectMode and optional + terminate delay +- Add pkgconfig(libxcvt) BuildRequires: New dependency. +- Add xwayland.keyring, use url for sources, validate sig. +- Move man pages from devel to main binary package. +- Enable LTO, no longer disable LTO via macro. + +------------------------------------------------------------------- +Tue Dec 14 15:44:46 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.4 + * Fixes for multiple input validation failures in X server extensions: + + CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access (boo#1193030) + + CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds access (boo#1190487) + + CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access (boo#1190488) + + CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access (boo#1190489) + * This release also includes other fixes such as: + + Store EGLcontext to avoid superfluous eglMakeCurrent() calls + + Prefer EGLStream with NVIDIA proprietary driver if both GBM and EGLstream are available + +------------------------------------------------------------------- +Mon Nov 8 11:45:16 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.3 + * Most notable change is a fix for the GBM backend to work with + the Nvidia driver series 495. +- supersedes U_glamor-Fix-handling-of-1-bit-pixmaps.patch + +------------------------------------------------------------------- +Thu Oct 7 12:22:22 UTC 2021 - Joan Torres + +- Specfile cleanup + +------------------------------------------------------------------- +Tue Sep 28 16:22:32 UTC 2021 - Stefan Dirsch + +- U_glamor-Fix-handling-of-1-bit-pixmaps.patch + * glamor: Fix handling of 1-bit pixmaps; fixes e.g. issues with + gimp on Wayland (which needs Xwayland) (boo#1189310) + +------------------------------------------------------------------- +Mon Sep 27 11:56:41 UTC 2021 - Stefan Dirsch + +- covers jira#SLE/SLE-18653 + +------------------------------------------------------------------- +Thu Jul 15 18:24:01 UTC 2021 - Macie McKitrick + +- xwayland pc is required for S390x and S390 + +------------------------------------------------------------------- +Fri Jul 9 11:19:50 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.2 + * The only change compared to the release candidate is a fix for + a long standing issue where Xwayland wouldn't send events to + notify clients of RandR configuration changes in some cases. + +------------------------------------------------------------------- +Thu Jul 1 10:16:22 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.1.901 (21.1.2 RC1) + * It's a bit special, as most of the changes are not the usual + stable branch fixes material, but are needed for HW accelerated + direct rendering with the Nvidia 470 driver (which is currently + in open beta). + * changes are mostly specific to the EGLStream backend and do not + affect the GBM backend. And they make a big difference for users + of the EGLStream backend. + * See + https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/thread/BBZVDNST67I2AQOCPSHKYAY6D5Z66JIP/ + for more information about testing the EGLStream changes +- enabled Wayland eglstreams (needs new packages egl-wayland and + eglexternalplatform) + +------------------------------------------------------------------- +Tue Apr 13 15:21:03 UTC 2021 - Stefan Dirsch + +- Update to version 21.1.1 + * Fix XChangeFeedbackControl() request underflow (CVE-2021-3472, + ZDI-CAN-1259, bsc#1180128) + +------------------------------------------------------------------- +Mon Apr 12 18:01:05 UTC 2021 - Tobias Klausmann + +- Additionally to not packing /usr/lib64/xorg/protocol.txt, delete it to fix + the build + +------------------------------------------------------------------- +Mon Apr 12 10:48:11 UTC 2021 - Callum Farmer + +- Make vendor name the same as xorg-x11-server + +------------------------------------------------------------------- +Mon Apr 12 09:22:12 UTC 2021 - Stefan Dirsch + +- removed conflicting /usr/lib64/xorg/protocol.txt (already in + xorg-x11-server package) + +------------------------------------------------------------------- +Wed Apr 7 08:55:57 UTC 2021 - Stefan Dirsch + +- added summary for -devel package +- some cleanup + +------------------------------------------------------------------- +Wed Mar 17 21:20:29 UTC 2021 - Tobias Klausmann + +- Update to version 21.1.0: + * meson: Make sure XKM_OUTPUT_DIR has a trailing slash + * xwayland: Fix LeaveNotify for relative pointer +- Highlights compared to xserver 1.20.10: + * Xwayland's XVideo support (via glamor) now supports NV12 + * glamor can now accelerate some more RENDER extension formats + * Xwayland's GLX provider now uses the EGL implementation instead of Mesa's + swrast_dri.so directly + * Xwayland can now use the wp_viewport Wayland protocol for up-scaling of + fullscreen applications setting lower resolutions via the RandR / + XFree86-VidModeExtension extensions + * Xwayland now alternates between multiple buffers for all Wayland surfaces, + making it less of a special case compared to other Wayland clients + * Xwayland can now use memfd_create for creating buffers shared with the + Wayland compositor when glamor hardware acceleration is disabled + * Xwayland has better support for clients using relative mouse input and + keyboard grabs + * An Xwayland.1 manpage is now installed + * Xwayland now supports -listenfd, -version and -verbose command line options + * Xwayland now installs an xwayland.pc file which helps discovering the path + of the installed Xwayland binary and the features it supports + * Only meson is supported for building + * Only Xwayland and Xvfb can be built, only Xwayland can be installed + +------------------------------------------------------------------- +Thu Mar 4 09:49:25 UTC 2021 - Stefan Dirsch + +- update to 21.0.99.902 + * second release candidate for the standalone Xwayland 21.1.0 release + * meson.build: Keep the protocol version looking like xserver 1.20.x did + * xwayland: Delay cursor visibility update + +------------------------------------------------------------------- +Fri Feb 26 10:25:41 UTC 2021 - Stefan Dirsch + +- added Buildrequires to pkgconfig(glproto) and pkgconfig(gl) to + fix build on Leap + +------------------------------------------------------------------- +Fri Feb 19 13:22:04 UTC 2021 - Tobias Klausmann + +- Initial stand-alone Xwayland package version 21.0.99.901 (boo#1182677) diff --git a/xwayland.keyring b/xwayland.keyring new file mode 100644 index 0000000..f511049 --- /dev/null +++ b/xwayland.keyring @@ -0,0 +1,204 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBEab+moRBACDH5yKqS3wcc5bdxY7PBNuwKvF5TKMfagmSvuRDtZjjIIWaA/n +Z1KboV9Gq5g7kP7+Kfu+Qgd8u65eVsWwmPW10fXvj3aCU53glx2EdGdrHcgiyH2g +EQfPiyBw+trIppWFRV0IDXSLMA1FNC92t2nSG/VFHaPTVwcgkIRSfcXDvwCglGdE +a6f4uLqoNHP+m4yYnzapFuMD/R4+2AJDAvEWKDdYCGZzlawjAmmWyXrmT7/C/mx9 +8qUR473l4buXjHgDkkXXlHqdzil1vK85PhrKzNJDCCmlHUJNz+QwiAMOLwpD+kwV +Pb57RG7y+a5JQ5+jtVw4RlUxZIk/wj2An9YBO3A5vR7PdjM32ZJCN2+aM4dYfNzQ +xQKTA/47icvBaBVTl9rztjg2pd2Aqpc1P/GsIYLGj7XjnnJvGAENBHSH1QjpZMJG +CTS9oJ+B0/wrIr+pA+MdFgYAb6ojMQJOO6UChjWWSGjMFcs/CeXhxlLBido3DtAE +TbNTwO6OEfAvdosvTdhJFnwvZlJ+zZGGy5CrF2Fd9PUe9tmASbQoQWxhbiBDb29w +ZXJzbWl0aCA8YWxhbmNAZnJlZWRlc2t0b3Aub3JnPohiBBMRAgAiBQJPZ87eAhsD +BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCi+54IHy0TDmYGAJ0TBfcvF8FT +J7K00QUWb1W/6BcoaACfUWshKQ/r565KDCAa+KpqYB9W4zqIaAQTEQIAKAIbAwYL +CQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlF50WIFCRRD2HgACgkQovueCB8tEw6J +8QCgj3AIFzaI7ro1IOVqour9EQRVUlIAoIKtUrFRHavTQ1r175HhsjWgYr0itCtB +bGFuIENvb3BlcnNtaXRoIDxhbGFuLmNvb3BlcnNtaXRoQHN1bi5jb20+iGAEExEC +ACAFAkab+moCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCi+54IHy0TDvaZ +AJ9vEM9IPD/YHXSL9F+CkoT9pX8IFwCgjQ5xtceXkbTGVZdOicZ222mV9MmIZgQT +EQIAJgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJRedFiBQkUQ9h4AAoJEKL7 +nggfLRMO6sUAn0jl3h9rY4OJ13Lu7nsKclyhDpOqAKCFgTmaDGRuDRxloLg9jftr +n7a7vrQuQWxhbiBDb29wZXJzbWl0aCA8YWxhbi5jb29wZXJzbWl0aEBvcmFjbGUu +Y29tPohlBBMRAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCT2fPgQIZ +AQAKCRCi+54IHy0TDrxZAJ4ucO4mWDBUEnPni/KikswECcSSQgCeM0sYiNPOo7o6 +I20jWb+MpeVttA2IawQTEQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC +GQEFAlF50WIFCRRD2HgACgkQovueCB8tEw7QWQCfSIFVTaBSD0Y07DY3EhWi857g +0SYAnAv1oFd9diK8UkPD0QMhIKM0gfSnuQINBEab+m8QCACaeWlJYaOa1IaUuopO +7KbAEBT0bsnDyjDbtCeBdL/zqD89PObKFfMrS4+B6ghpNmWpodY0oJYmcLpPZu1e +1oMcfpwSWsKVg1/3iizmxK3w8EOHXzhb421y0DJjZ0DWlBiFizz95fBrgThzKutA +bvkz4Ietu71J7S+UREBEKk1yM1gulNdELA25S8CL3TlUnRhecZfzdZsl80ir67Gc +FraBXPBvb/YXAo4bTdbJvW+zo3OdYmV73HrXLz8uUQOgFFt8hBMWnnVHS57yBfbI +xWCHyVhVWIdgIGr5xq3unxfjVdr9838d8EU+x/f/5uGCA2CZoGYMkHHF3oE8HxgS +Kt6LAAMGB/9RYjFDDBEuSJc9pw6iHfgwlhAgFOsILyBUXF62VsQ8Qfma55kwl6AA +9MXnaXzpER6fF01XP/TFPsEPpWUcdjkOjCVtFxrhbx5veCmRf/B81gNgIe1OJ9Pt +7C6ZOs1nHmats2TRdMlU48A/fPsTStUPbD/GjinbYPMjB94YrCkeq3Vvpn1+atEP +BqJdoWbBR/6siIZz84Vw5J7jofBOYjJM63o1V1BJ/vmM49t14z+fUjmy851ZMsSP +pASPar1RD3xQQ8m4x1qi3IEXAqVwM44sxIvv3d9Yg2thKyR1eEeNqG3nBaoj56A7 +Yl9yIj+8/X5sTOGlj2WUar6vtYbecJJ/iEkEGBECAAkFAkab+m8CGwwACgkQovue +CB8tEw6C6ACgh2EacP138hLp8NWC/7jGc5e/KiEAnRVXFzW6g/N6lYVuC8u4cgy/ +KNGiuQINBFF51SEBEACh6YzpmNOep9LbGaFvauXoLDHJebSgvLopq4TtOZ56vuf+ +tP2HnQvvlfXPW/9/1+ztvC8gZALQYA9MSWUg0NA4U8ygKegM40LQbyOvLopxsMUo +0/qEKTzMaoQNSNJM6BAwnRKlfh7FTgBHWwIv7T/W23Uw88FXPDFg64mpgVKnOd0W +9NDH38veN+VIE0uIAITMADYcul2ZjjAYSEzs8RSVBA0wybS2xNG9Yz0UEuzR0IGp +NYp5rrzzHN8ALqBHEgkrdcbqW2LAaFzoyucAv3hNSyHWaEcltjpE9eNA6g2fM30S +A/OtIZ4q52IG9PUzzbY/d6bnVAFLek/frXCzeP68YcRzsLHuuihhzuG0Na2epn3K +OkmHfVetHC+oQtnjHnMsWZYjLte5Y+xF/JcVB/qJiIB3OxxqMlEelflgetHMVo+b +9Oc3Xi3mdmiwXDxYcZXwxEpvH+Hs3SUg0tUGZgtD+Yd0SX4YX5nQa/JB86+9ddQ9 +fzu9QL9VVeRcifWMVEsaeCD7syuyW24FR3AOj716w81lLJZmYDwA6Sh+IU5hvzXQ +qoRF3Ln72OrOcjZLAfF90Xjb7kksnxp0c95L7citF8wuykV9j6riyOgPCiaax8GR +qhAdTQxvG9ommJ4ITo8nyGBFUBd5xn2gcL+JawjxKGUlGivH/zUGYzVPDUMk5wAR +AQABiQJtBBgRCgAPBQJRedUhAhsCBQkJZgGAAikJEKL7nggfLRMOwV0gBBkBCgAG +BQJRedUhAAoJEM/fFIgoxkKn1uYP/3TnSR7dt3HTMs+VQA2hO7vi9BPnl/RrRxeC +euPXl7LoufRLWx4dp13RoXeUqkPBQ4vRghCmkOEt9Z/2ASxAQpI+0dCDIpFtqO/P +ycQ6LwfPmi+tOoYJmnzVcdWiLISIJa5fF5bt7I3gLxuPFumI3S9pn6yAx4yFcDmb +DIoWzib0k+kN7qR3Z5ow7TORwkJiOTRFw1mI+iGboSZ56w1sDbMmFeCj6FAcQHKi +MgnmW1bLLllpxz11/FWr1avfL6Vcp3xsxmKSWw49fQv7rTIyhiOXXL21WrnAO1/6 +JLca8UukgQ4biGgBPeGR5W8an8h3xEyPy2tmfwCwwLWHYSUdoEpEx8ikltUKmJbp +Unwf/5Z52uOJpk7kTjWwzYG9BRkr7bATGfNIhw6j4FH0utJMQnxa7Ehn0xVPl+EA +M6U7VCRHK/ieB1Cw3jH8DoIIVX5isRV1n7nfMQ2gl7ssC07VYDAmaeD+zAMriZWs +bBU7vnNVZcveIK5OFDLQCyzKgl0qLAOPdIC00nYNx0sMbdkPyyXcuNu2SDL4xlyK +7p7PFPzpi/XVYFrt2yR7C+vEpMfE7Ot6kzfUFzPzwfvFcDmguzyfoOreNA5Xjpnb +EvHDd9cn+SgfK7C+Lp+LtcqzCX6Z0m5TzLucCYt5I6APg3eWRasfZ04uMAY31WBg +j7JXqufSvJEAmMdQp5WXKut9CE8vXQf2hwkK8toAmwcGdkbH/ZK9OUvLi4ZcFt70 +Ur0b +=xH1V +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD8b0wYRBACph9kRJmP+4+JGsCgFlFoy4vFO0DCG+jmkQN0n1wdInt/N/UtA +sZToO72AUmfmYizA+IEbzBrx0UnUo3w3BDmHxUWf/akZiPUz9AA/YFY4xC3MY2OK +VN2Jz6YSce4zJ5jd2ZRobHm4HuIf/8yqSCcsv7FNfrLaTNIFRs5gYYsqZwCgwmkp +RSLRc8WAnHrTWNQDaEFM2rUEAKTjrTjMN8+KGd0BxNX7HiTSqQP++nXNwAYs1oWB +Yt82YHj9SvRCqCzD1pzJQivYnlNoWDza1VeMnfdAvkdia8z4lYbO/RunXZJvra3Z +VDm+izq+uwUAyvFuEYnNz09VSqwXKT6+XW0Xtz2vHq52r6DS6mK8cGJHZ5OhrRjq +UEYxA/9STh+QfA98xtNoRcf52E/46r7IpCj440oRVc9lMfxQZrLGQNqp7sPdIhGQ +CCo2NUII5hkhdAG71kpbfSXU4Sh32p1cU1KYCAkDFfb49bKuAs+Pff8v6FGZxTdd +AinPZr4BbsYJatk818aTCnu0+s7L8jL5GPfeyuyEMKwzVBx2mLQpUGV0ZXIgSHV0 +dGVyZXIgKFdoby1UKSA8b2ZmaWNlQHdoby10Lm5ldD6IRgQQEQIABgUCPyZd9AAK +CRAxKkm802WJtQJ2AKCuZPqsSxFtrHh3vMLXpzmF1Gk1DgCgrV7f+A9NpkYzPiQK +nyzX3kb53jqIRgQQEQIABgUCQApO8gAKCRAkkHkTqLdyOKXuAJ0awetW7KLequ5w +bRIYcbDukt9QsgCffAvxsB3YXORG9PnYx3Qd2WKiFdGIRgQQEQIABgUCQAyMfAAK +CRAtURMMV/bnvdD+AJ9AuFu4uEHlqANyLjE6F+0lNfqHzACffl/TTo26T6ikwSFi +puniCtS/w2yIRgQQEQIABgUCQMQJ8wAKCRAE3Uhrsk4s930xAJ0UM2jRbfkUWDjj +tHA5qiNk5ku6qwCfScSgkLm+EKfI7OzFAOopa5LSsUeIRgQSEQIABgUCQAZZYwAK +CRCml0fm7Bs4OS+4AJwPAdK0RFqk0FxdcOZgEIiSevhIMQCggAt1F4+PDq01u/JT +1LaLH6vcj/aIRgQSEQIABgUCQAqJ+QAKCRDCsHn89cdSVpcoAJ4wXtsKP0ka9wNC ++VWa1+Ssw9h3SgCgkqOhRS26Svc7rgJZ0aHa53052tKIRgQSEQIABgUCQAtDqQAK +CRA8Y8o/oLPoiz5BAKCLW6zgmroiQKB5EaI6MKTpEn6y+wCdH8edOA5rdiiNoDXx +fdrp5L2O2MSIRgQSEQIABgUCQAyNrQAKCRBa6RlsHeXyaRdXAKCLuL5caS8d4WQN +EFRMTl5TC9WJTwCgrTpj50y5Rn2bkIDrolpv1t6t+EiIRgQSEQIABgUCQBIOZwAK +CRAtQ2Ay0CIa0nYQAJ9qIKrAqXld5i165D1OOfI3Hot2iACgjctJVT1bZTLCxJcg +bih2T+zbD9uIRgQSEQIABgUCQBOxCgAKCRCFMAOu3onHXFlxAJsGvLGKec9gqG1e +At2pgqtrn4SkrQCgx35W3kGyCYGXG/L7dXNtPPNa3KaIRgQSEQIABgUCQBXjHQAK +CRAiGMgejnwD/w12AKCHLLO3eqqwGhWLX0ys7T7pXWnRVwCfSaMs8XlfauaHLqbw +OcGvrJPBhxaIRgQSEQIABgUCQBicOgAKCRAESetNaTUTh9f7AJ975KGrbE+BV2+v +tEx6olIiXHELpACfVGbarcF4y5V6EadqfEQC8WtVhjiIRgQSEQIABgUCQBpGxAAK +CRCXWuW+Ha5Wc7EmAKDB9tFRgz6Xrmf6g5XBIGsYHMSnNACeJYeTx+tihse4/NdZ +1xGU12oSAciIRgQSEQIABgUCQFgq4AAKCRAhuVdcp9kWAi2hAKDM5u/Lo6nReFxQ +IjKihaP9Dkb7KwCgotUNmV6q6AgS21YTbxg814NsZrCIRgQSEQIABgUCQG7LZQAK +CRDXKjXRa5G1hCK1AJ9OSoVUdmXDXCWj3SlLgZ/ObrFUvACfWtPXyc7ArMkMgoU3 +IL032k8EbzqIRgQTEQIABgUCP48vGgAKCRDmAsqjSEK1tMDMAJ4wp27dGYjNSyj2 ++zkJW6UdwZx+twCeNxJWbJKZR8YHVE+ERbuMU2OEiteIRgQTEQIABgUCQAdFDgAK +CRBFiyjaLHHWPQSVAJsEnIgJBd+7XVFND548g2ncnOuPOQCfdVpEvfOvznAy268n +ZqmA80vByNaIRgQTEQIABgUCQAfi1QAKCRCgLNqfPQi2EoXBAJ0W8qvDZucBtxHJ +VU66i6jZVCgwoACeOD4rT2m6YIaXpLYA/cJbeyGSX1+IRgQTEQIABgUCQAkaIAAK +CRBW37Z3LhW4WYUJAJ0YuCLIMNen+e+6xtvOjv6mF4xc5QCfWNoh5S1mpJ2rWMSP +p1UUxp297B2IRgQTEQIABgUCQAokuwAKCRCsqWuZ/t48LvT8AJsG1rRRDGy2e+xt +/8ocU5qPjDJ5rACdEqDWq+8/27LUgABsMbVVf26/7EiIRgQTEQIABgUCQAvQnQAK +CRDmix3Su/HM73sAAJ4vVmW+ObH01UlLhAIJlcovzSdF4QCgo+0l8Bm3BBSpoASx +SZszYCwdNOWIRgQTEQIABgUCQAxijwAKCRCOYuf3ZAEai2NXAKCIVWAYHuPZeG7h +VTNk2fuRhRGb7wCdFiJSWeil9zWos7Rc+l1t4zvYOFuIRgQTEQIABgUCQAygMQAK +CRDIHVGzO6c6LIbqAKCpOZtcX0wcPMH4c2vHO7Ik+6dwyQCguEyhow+uQ8AxXdZP +UniXG2gLX1+IRgQTEQIABgUCQA9MUAAKCRA51HTjafHvV+KvAKCQ0eaNlJyEjoVX +iTVNUiyE/4WMdACgote5Zj2Twi7NeXlAa+WPkD2181eIRgQTEQIABgUCQBGzbwAK +CRCKZ3GcLegns1xXAJ9fPVeWE/sFtnEkxOJcYjnR6ZBkQQCcDOL5vd6Y46qDXjBS +dY7k1ox9mvqIRgQTEQIABgUCQBG0XgAKCRCAxpglEI9gu0zsAJ0VXhPVAGF66tH+ +bhRosfmerGPbkwCgl8JhboLh8tJjfIu+rqkZSCeRcUmIRgQTEQIABgUCQBSC6QAK +CRB274zoh7HPtVW0AKCo2a+Qq1tWJgQ8oiUs7Wo0fnE3bACdHzCo+N5FSYU/UvOA +y6NSb38TNc6IRgQTEQIABgUCQBryTQAKCRAo/LxS51BlLskwAJ9OskVyG+jAetJ6 +s1IuAm0ckrG2nQCfeCYYz+SmmsryPYw1XDl/pHdqISGIRgQTEQIABgUCQJfQUQAK +CRAWD6xZgnKioa/yAKCvzwPgnZzoPjPpjAKtcyyz8lxpzACgsfmfDOF47FMfVKWP +jEKz1eReEAqIRgQTEQIABgUCQN/TNQAKCRAXW4/hvruTP73FAJ9OJqXWuSx8KtBo +f4PFwfnTUXPQYgCgghRvm7XpfKuqRnvHSnYU+Bt5f9eIRgQTEQIABgUCQaJalwAK +CRBCnwFbCWxN06enAJ9kdhO8NBTqflkRAg7moXMRqew/GwCdFeghO7RA5Bsfpcm3 +6Ln0VNkiT6OIWQQTEQIAGQUCPxvTBgQLBwMCAxUCAwMWAgECHgECF4AACgkQ4jt+ +cLRn8L/0RACfWo3KTMUg+uPRqA6RXxk04CWjXaMAoJeIxOpZLB3RBltPnSi7PyVQ +IkHFiJwEEgECAAYFAkAGO40ACgkQfjFQpnY76QFI3wP+P/M6i5NEBqdkr+CpIK5L +KfHB8KBYYSXMfs/8woYhiyRgqVmmdwkbnv/9KEZocVTqu24R6BxGfPw7zD+lvD8l +9+TTrq9OhU+zAfsjBQdgY35NGET5aWOB25bq/1sLFOxzUqe5jXT2OWt1t/kVzLtK +rka9tJSqJTVetGDLZ4giUtOJARwEEwECAAYFAkAsk4MACgkQnvi/HyptydItOwf/ +VWKWqU3Ap9N5ihKseK2ljFi704zLpOXEEZzb1bzuPdOe7BDSSbktBiQ5XDl7krDZ +2y3XhObstIC3cli0sxf6DTPNji/9ouHqORuvyOSILLzlG60N67w3NJ9vbvpIzNWc +XddyWOA/Boj0+XTgCrb3PodQ/CicKCVXceo78BvFfGwpAf7rdKIK/RvomKgN1/qn +rhWCDFLdY785zT5qSFykwBW6IBalyzafJkeTKTH5OF6eTTlX7r9LWTYfl/eqbsTi +h6o+KbSzm1IcSDEv0P2SHWKP6XLVxCE4qqG1sN8qTJh2+104p21NfWCIZBGhKpCE +vG9X2uFJpQ8dP7/OfV7dNbkBDQQ/G9MIEAQAk56jmDlmFUfDtQ+9yep23QHmQm16 +1JMlyLsqgTnSpl/9ECZkrO1n7GvoT3w4Y+motBrNgvEIP9D85POm+KfQy5H9DOkW +mI1LQiQaUufca7Fep8+sWc0GuEUXX9WCZsNrYmtTDF88W8EFNmyqWBJvDbBmgVET +BndNhL7DDdsCNrsAAwUD/3vTI1a//OVw8wJVATfB8GFubM08j/GVXEDqjpjXm5E1 +hi75D6wXV5sac61o8T6JTtVnFkI1C9Gzf623ann0+uYlRyRyWf3KU7YBpQj4S+SU +wOdJbXdCNdwgAWFixZrMKJ1xEv+rXIJX+K69za4trDq2OR4ID4qRMzqOb3SjqMP6 +iEYEGBECAAYFAj8b0wgACgkQ4jt+cLRn8L+vIwCgg7y9oJK4NeDX1e6zXNOeytZy +9hoAnigKVkYBlc2jpAKdD+bULpWgw+sz +=Q/D0 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: Hostname: pgp.surf.nl +Version: Hockeypuck 2.1.2 + +xsDiBERd0h4RBACflXMwRMuZ/gICB7oM/SwnYMoDeRVaZHYT2RtI6iaNQpovoMas +fbLX31icweQm9sMLQJR/bNABpp28Fs1S4yNt9SwAProigexyWl3fFE3uqoVRmglZ +uQdyXl7nnPC7A3hxHPX88tsZS4UlLFRssTjNnrzzhSR3xyyIlOJnmG5pJwCg/yaH +DECRtdWm9gIJZwfM6S+ANYUD/0s6FPCIdbDqCzNcMH7YZID+JjBOU3VlRdXfzGmx +Iy2aPBpC9pkb0EUEL94QZ5Ysa1EGNnNUPq8dQWOr/NllCt2/l0HDLGoziBCpBTvG +ZNnFaJoErG0kmCH2u0w9VmKKSBq6C0sI8rFW1JthKc/bu6ucBKKbpi4sFYAMyZHn +sNbzA/9VYevyns5TmZeR7t+x8YRj6xZxWVNGm20gnBBhHVnq/EGIn4a/YN1NLFNc +4EuarFnzl0w6L1IQHanM+ajBJgzL4oSYCufhTSXgA2utrpIRtKkRW9JH6zt3J5hk +W8oIcEsY3YRKQ3iVKS3Kz8PgSwezNewFT6o3Juu//95O5qSm8s0iT2xpdmllciBG +b3VyZGFuIDxmb3VyZGFuQHhmY2Uub3JnPsJ6BBMRAgA6AhsjBgsJCAcDAgQVAggD +BBYCAwECHgECF4ACGQEWIQRn3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jggAKCRAU +cG2+HktFQMAMAJ4kmAtOA9YEazO+1TNxEvEDZbEDSwCfUVR27NAtNegGOMO7piF1 +KrurTenCaQQTEQIAKQIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQkaVB3SBQJG +o8t0AhkBAAoJEBRwbb4eS0VANIcAn39YcAnhLnB1pIRQDuBIiIhhFMScAKDZYHMB +1WIaknrKZSOnjwKBHw2nOcJjBBMRAgAjBQJEXdIeBQkJZgGABgsJCAcDAgQVAggD +BBYCAwECHgECF4AACgkQFHBtvh5LRUDz7ACgmLpkFGTjcUGnzXnjIw071JQi0HQA +nisMFnp0kBQIqdv2lufZ9YxXZhD3wkYEEBECAAYFAkRm8GUACgkQLXYbC37EqKxO +LQCeNE+A668Qj5DB2vmibAV5rn4pMhwAnjgUS/l03Ckfq7jCx1jc3DxSh9UQwkYE +EBECAAYFAkUMKvkACgkQRR//0/1eDw85jgCfXsyjpqetxwwoyc6LVAdvAhljhF8A +nAgKOMp8LG6DDrhRomp4kjv0SHegzSNPbGl2aWVyIEZvdXJkYW4gPGZvdXJkYW5A +Z21haWwuY29tPsJ3BBMRAgA3AhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AWIQRn +3IbyYj/F/Uu1Il0UcG2+HktFQAUCXx7jgwAKCRAUcG2+HktFQJ5GAJ9yYpsMZ5oW +I8Kv1qGf0MlRRZgxTACeL0BZ4Ni2nm5Exuv2CJxeT/KpcJ3CZgQTEQIAJgIbIwYL +CQgHAwIEFQIIAwQWAgMBAh4BAheABQJGo8tYBQkaVB3SAAoJEBRwbb4eS0VAhKgA +n3Js4UVMHITK3bgpcECV6xfuoEiUAKCZa2BJbdnOgbAlcbSScRGpI8MMPMJmBBMR +AgAmBQJGo8gKAhsjBQkJZgGABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQFHBt +vh5LRUBydACfba08blV5kvAdN/mSKD1NgAHsiIcAoPbpCWW3IUiZ/1T9v8YTuDbt +LWkLzSVPbGl2aWVyIEZvdXJkYW4gPG9mb3VyZGFuQHJlZGhhdC5jb20+wncEExEC +ADcCGyMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgBYhBGfchvJiP8X9S7UiXRRwbb4e +S0VABQJfHuODAAoJEBRwbb4eS0VAwOoAn1jPsEMWv/z9pqvw2We5FDLbi0ncAJ9W +bA5E1fHh8m31NdSyFy2tXt8wfcJmBBMRAgAmAhsjBgsJCAcDAgQVAggDBBYCAwEC +HgECF4AFAkajy1gFCRpUHdIACgkQFHBtvh5LRUCnMwCg3qt90PZGBCjwC+RXRQH1 ++RznWzEAoKydVzIVeRC2vkGIRUx+k5jX333owmYEExECACYFAkajyDkCGyMFCQlm +AYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAUcG2+HktFQAsZAKCa9lmgwpkL +zUpX4caWZi/L8KSK8ACePisjM/gv90AVd+0Br0G98yhLD9LOwU0ERF3SSRAIAI0c +lctVOjdLUtE1ZRYS7Reu/oXSPns8duS4CLHmknF3kgn8uN6L6fptwFzh3yizCMGv +Td4YA4/NimzsQxXmar9fDRg/VHEPsaHrWanE3VPMxBoRyPtnNeQtQXrRb8XCZllo +GvmYQ/CZ8N9IaUq/Q8bbpqyr+dJy/gy+gc0aCxPdZhghxvOKrcJZg7zks52cQegz +Tne6rjU0o/eTeySkWgboL4RaLQndUVX7LJ1UgL3mxr30fgv6JxmN8YkD6lSbb8+i +vXhHX8LNuY8wmX+tCIrlm+20hpWtLEyB3HSnqgyC7Y1v0ZPYmQaRm1AQcafikFml +9CieH9DaV6avfPQLkgsAAwUH/2BX9xYtFY85fSKP7Kz0ClcCHpuweIkmTbPWDT91 +HQmf2dRbzI88CV3ZzawJMJHHL1Nua7CGNX1Z+cFJz4QTkyAOXXNlbHaVRXF2Epnw +FfjF5UM/D5j3YiUhXoam1LKz8/VRw3ZDDdc349jKPJEWNEmqs9NeGhSC2YsL2TsO +BaBzWPvRXS1otPCaKOTuDa9h2T8om2SEvqvJjd0jdC0o4khJ8zsYtE3vZBXbyfdf +cn5ktWedyEt6lcRMI04bvu2+j6B68GwtVDNr/RHaDPd+UkbZSHwiRoxGkRUQttYv +Lh/NrtLo8a6NQFWAePMM8nU2P7n6AcRf357nqbwnQWJ/TyvCXQQYEQIAHRYhBGfc +hvJiP8X9S7UiXRRwbb4eS0VABQJfHuPcAAoJEBRwbb4eS0VAnL4Anim4vNYyrDc8 +NTdS3mgWGtdXVjWdAKCjUhzkN3uCaYNJR6h0Y1thYuPEJMJMBBgRAgAMBQJGo8tj +BQkaVB2nAAoJEBRwbb4eS0VA5e0AoO/nFK4k4fsAgsLMs02kk3plifoAAJ4iK85P +2PawnJlnupv80Q8b7w2UVcJMBBgRAgAMBQJEXdJJBQkJZgGAAAoJEBRwbb4eS0VA +ugQAoOlJ2NPM8mRqRCA2ZKXPqz7TGm64AKCTLcYRDmqX4aZcgK4yRBbe8GXhDA== +=rEW/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/xwayland.spec b/xwayland.spec new file mode 100644 index 0000000..970c7aa --- /dev/null +++ b/xwayland.spec @@ -0,0 +1,201 @@ +# +# spec file for package xwayland +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + +Name: xwayland +Version: 24.1.5 +Release: 0 +URL: http://xorg.freedesktop.org +Summary: Xwayland Xserver +License: MIT +Group: System/X11/Servers/XF86_4 +Source0: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz +Source1: %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig +Source2: xwayland.keyring +Patch1237451: U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch +Patch1237452: U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch +Patch1237453: U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch +Patch1237454: U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch +Patch1237455: U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch +Patch1237456: U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch +Patch1237457: U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch +Patch1237458: U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch +Patch1237459: U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch +Patch1237460: U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch +Patch1237461: U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch +Patch1237462: U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch +Patch1237463: U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch +BuildRequires: meson +BuildRequires: ninja +BuildRequires: pkgconfig +BuildRequires: rendercheck +BuildRequires: pkgconfig(bigreqsproto) +BuildRequires: pkgconfig(compositeproto) +BuildRequires: pkgconfig(damageproto) +BuildRequires: pkgconfig(dri) +BuildRequires: pkgconfig(dri3proto) >= 1.4 +BuildRequires: pkgconfig(epoxy) +BuildRequires: pkgconfig(fixesproto) +BuildRequires: pkgconfig(fontsproto) +BuildRequires: pkgconfig(fontutil) +BuildRequires: pkgconfig(gbm) +BuildRequires: pkgconfig(gl) +BuildRequires: pkgconfig(glproto) +BuildRequires: pkgconfig(inputproto) >= 2.3.99.1 +BuildRequires: pkgconfig(kbproto) +BuildRequires: pkgconfig(libbsd) +%if 0%{?suse_version} >= 1550 +BuildRequires: pkgconfig(libdecor-0) +%endif +BuildRequires: pkgconfig(libdrm) >= 2.4.109 +%if 0%{?suse_version} >= 1550 +BuildRequires: pkgconfig(libei-1.0) +%endif +BuildRequires: pkgconfig(libtirpc) +BuildRequires: pkgconfig(libxcvt) +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(pixman-1) +BuildRequires: pkgconfig(presentproto) >= 1.4 +BuildRequires: pkgconfig(randrproto) +BuildRequires: pkgconfig(recordproto) +BuildRequires: pkgconfig(renderproto) +BuildRequires: pkgconfig(resourceproto) +BuildRequires: pkgconfig(scrnsaverproto) +BuildRequires: pkgconfig(videoproto) +BuildRequires: pkgconfig(wayland-client) >= 1.21.0 +BuildRequires: pkgconfig(wayland-protocols) >= 1.34 +BuildRequires: pkgconfig(xau) +BuildRequires: pkgconfig(xcb) +BuildRequires: pkgconfig(xcb-damage) +BuildRequires: pkgconfig(xcb-sync) +BuildRequires: pkgconfig(xcb-xinput) +BuildRequires: pkgconfig(xcmiscproto) +BuildRequires: pkgconfig(xdmcp) +BuildRequires: pkgconfig(xextproto) +BuildRequires: pkgconfig(xf86bigfontproto) +BuildRequires: pkgconfig(xf86vidmodeproto) +BuildRequires: pkgconfig(xfont2) +BuildRequires: pkgconfig(xineramaproto) +BuildRequires: pkgconfig(xkbcomp) +BuildRequires: pkgconfig(xkbfile) +BuildRequires: pkgconfig(xproto) +BuildRequires: pkgconfig(xshmfence) +BuildRequires: pkgconfig(xtrans) + +%ifnarch s390 s390x +Requires(pre): %fillup_prereq +%endif +Requires: pkgconfig +Requires: xkbcomp +Requires: xkeyboard-config +Recommends: xorg-x11-fonts-core +%ifnarch s390 s390x +Requires: libpixman-1-0 +%endif +Obsoletes: xorg-x11-server-wayland < %{version} +Provides: xorg-x11-server-wayland = %{version} +Conflicts: patterns-wsl-tmpfiles + +%description +This package contains the Xserver running on the Wayland Display Server. + +%package devel +Summary: Development files for Xwayland +Group: System/Libraries +Requires: %{name} +Requires: c_compiler +Requires: meson +Requires: pkgconfig(libdrm) +Requires: pkgconfig(xau) +Requires: pkgconfig(xdmcp) +Requires: pkgconfig(xkbfile) +Requires: pkgconfig(xtrans) +Requires: pkgconfig(xv) + +%description devel +This package contains the Xwayland Server development files. + +%prep +%autosetup -p1 + +%build +%{meson} \ + -Dglamor=true \ + -Dxvfb=true \ + -Dglx=true \ + -Dxdmcp=true \ + -Dxdm-auth-1=true \ + -Dsecure-rpc=true \ + -Dipv6=true \ + -Dinput_thread=true \ + -Dvendor_name="SUSE LINUX" \ + -Dvendor_name_short="openSUSE" \ + -Dvendor_web="https://www.opensuse.org" \ + -Dlisten_tcp=false \ + -Dlisten_unix=true \ + -Dlisten_local=true \ +%if 0%{?suse_version} < 1550 + -Ddpms=false \ +%endif + -Dxf86bigfont=true \ + -Dscreensaver=true \ + -Dxres=true \ + -Dxace=true \ + -Dxselinux=false \ + -Dxinerama=true \ + -Dxcsecurity=true \ + -Dxv=true \ + -Dmitshm=true \ + -Dsha1=libcrypto \ + -Ddri3=true \ + -Dxwayland-path="%{_bindir}" \ + -Ddtrace=false \ + -Dlibunwind=false \ + -Dxkb_dir="/usr/share/X11/xkb" \ + -Dxkb_output_dir="/var/lib/xkb/compiled" \ + -Ddefault_font_path="/usr/share/fonts/misc:unscaled,\ +/usr/share/fonts/Type1/,/usr/share/fonts/100dpi:unscaled,\ +/usr/share/fonts/75dpi:unscaled,/usr/share/fonts/ghostscript/,\ +/usr/share/fonts/cyrillic:unscaled,\ +/usr/share/fonts/misc/sgi:unscaled,\ +/usr/share/fonts/truetype/,built-ins" \ + %{nil} + +%{meson_build} + +%install +%{meson_install} +# Let xorg-x11-server provide the Xserver manual +rm -f %{buildroot}%{_mandir}/man1/Xserver.1 +# Provided by xorg-x11-server +rm -f %{buildroot}%{_libdir}/xorg/protocol.txt + +%files +%{_bindir}/Xwayland +%{_mandir}/man1/Xwayland.1%{ext_man} +%{_datadir}/applications/org.freedesktop.Xwayland.desktop + +%files devel +%{_libdir}/pkgconfig/*.pc +%dir %{_libdir}/xorg + +%changelog