Accepting request 1030894 from X11:XOrg

- U_Do-not-ignore-leave-events.patch
  * fixes xwayland issue#1397, issue#1395

- Update to version 22.1.4
  * xwayland: Aggregate scroll axis events to fix kinetic scrolling
  * Forbid server grabs by non-WM on *rootless* XWayland
  * xkb: Avoid length-check failure on empty strings.
  * ci: remove redundant slash in libxcvt repository url
  * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY
  * dix: Fix overzealous caching of ResourceClientBits()
  * xwayland: Prevent Xserver grabs with rootless
  * xwayland: Delay wl_surface destruction
  * build: Bump wayland requirement to 1.18
  * xwayland: set tag on our surfaces
  * xwayland: Clear the "xwl-window" tag on unrealize
  * xwayland: correct the type for the discrete scroll events
  * xkb: fix some possible memleaks in XkbGetKbdByName
  * xkb: length-check XkbGetKbdByName before accessing the fields
  * xkb: length-check XkbListComponents before accessing the fields
  * xkb: proof GetCountedString against request length attacks
- supersedes security patches:
  * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
  * U_xkb-proof-GetCountedString-against-request-length-at.patch

OBS-URL: https://build.opensuse.org/request/show/1030894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=15

U_Do-not-ignore-leave-events.patch

@@ -0,0 +1,48 @@
+From bd39c17e2398f82910978ed55ac772c67d8f940a Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 24 Oct 2022 09:24:01 +0200
+Subject: [PATCH] xwayland/input: Do not ignore leave events
+
+Commit 8a5f3ddb2 ("set tag on our surface") introduced the use of tags
+to differentiate our own surfaces, and commit a1d14aa8c ("Clear the
+"xwl-window" tag on unrealize") removed the tags before the surfaces are
+actually destroyed.
+
+Xwayland would then rely on these tags on the surface to decide whether
+to ignore or to process the Wayland event in various places.
+
+However, in doing so, it also checked for the tag on keyboard leave
+events.
+
+As a result, if the keyboard leave events is received after the X11
+window is unrealized, keyboard_handle_leave() would not queue the
+LeaveNotify events for the DIX to proceed, and the key repeat would
+kick in and repeat the key event indefinitely.
+
+To avoid the issue, process events regardless of the tag as before
+in keyboard_handle_leave().
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Fixes: 8a5f3ddb2 - "xwayland: set tag on our surface"
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1395
+---
+ hw/xwayland/xwayland-input.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
+index 240eb0139..9eda1ef71 100644
+--- a/hw/xwayland/xwayland-input.c
++++ b/hw/xwayland/xwayland-input.c
+@@ -1147,9 +1147,6 @@ keyboard_handle_leave(void *data, struct wl_keyboard *keyboard,
+     struct xwl_seat *xwl_seat = data;
+     uint32_t *k;
+ 
+-    if (surface != NULL && !is_surface_from_xwl_window(surface))
+-        return;
+-
+     xwl_seat->xwl_screen->serial = serial;
+ 
+     wl_array_for_each(k, &xwl_seat->keys)
+-- 
+GitLab
+

U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch

@@ -1,56 +0,0 @@
-From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Wed, 13 Jul 2022 11:23:09 +1000
-Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
-
-GetComponentByName returns an allocated string, so let's free that if we
-fail somewhere.
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xkb/xkb.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-Index: xwayland-22.1.3/xkb/xkb.c
-===================================================================
---- xwayland-22.1.3.orig/xkb/xkb.c
-+++ xwayland-22.1.3/xkb/xkb.c
-@@ -5941,18 +5941,32 @@ ProcXkbGetKbdByName(ClientPtr client)
-     xkb = dev->key->xkbInfo->desc;
-     status = Success;
-     str = (unsigned char *) &stuff[1];
--    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
--        return BadMatch;
-+    {
-+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
-+        if (keymap) {
-+            free(keymap);
-+            return BadMatch;
-+        }
-+    }
-     names.keycodes = GetComponentSpec(&str, TRUE, &status);
-     names.types = GetComponentSpec(&str, TRUE, &status);
-     names.compat = GetComponentSpec(&str, TRUE, &status);
-     names.symbols = GetComponentSpec(&str, TRUE, &status);
-     names.geometry = GetComponentSpec(&str, TRUE, &status);
--    if (status != Success)
-+    if (status == Success) {
-+        len = str - ((unsigned char *) stuff);
-+        if ((XkbPaddedSize(len) / 4) != stuff->length)
-+            status = BadLength;
-+    }
-+
-+    if (status != Success) {
-+        free(names.keycodes);
-+        free(names.types);
-+        free(names.compat);
-+        free(names.symbols);
-+        free(names.geometry);
-         return status;
--    len = str - ((unsigned char *) stuff);
--    if ((XkbPaddedSize(len) / 4) != stuff->length)
--        return BadLength;
-+    }
- 
-     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
-     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);

U_xkb-proof-GetCountedString-against-request-length-at.patch

@@ -1,31 +0,0 @@
-From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 5 Jul 2022 12:06:20 +1000
-Subject: [PATCH] xkb: proof GetCountedString against request length attacks
-
-GetCountedString did a check for the whole string to be within the
-request buffer but not for the initial 2 bytes that contain the length
-field. A swapped client could send a malformed request to trigger a
-swaps() on those bytes, writing into random memory.
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xkb/xkb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-Index: xwayland-22.1.3/xkb/xkb.c
-===================================================================
---- xwayland-22.1.3.orig/xkb/xkb.c
-+++ xwayland-22.1.3/xkb/xkb.c
-@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, Cli
-     CARD16 len;
- 
-     wire = *wire_inout;
-+
-+    if (client->req_len <
-+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
-+        return BadValue;
-+
-     len = *(CARD16 *) wire;
-     if (client->swapped) {
-         swaps(&len);

xwayland-22.1.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a712eb7bce32cd934df36814b5dd046aa670899c16fe98f2afb003578f86a1c5
-size 1272440

xwayland-22.1.4.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c39bdd77444c3fa7a0e2ef317ae69ddde89a901dc8914dbc8eac39a9313512a
+size 1273552

xwayland.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Mon Oct 24 13:50:22 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_Do-not-ignore-leave-events.patch
+  * fixes xwayland issue#1397, issue#1395
+
+-------------------------------------------------------------------
+Thu Oct 20 11:50:17 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
+
+- Update to version 22.1.4
+  * xwayland: Aggregate scroll axis events to fix kinetic scrolling
+  * Forbid server grabs by non-WM on *rootless* XWayland
+  * xkb: Avoid length-check failure on empty strings.
+  * ci: remove redundant slash in libxcvt repository url
+  * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY
+  * dix: Fix overzealous caching of ResourceClientBits()
+  * xwayland: Prevent Xserver grabs with rootless
+  * xwayland: Delay wl_surface destruction
+  * build: Bump wayland requirement to 1.18
+  * xwayland: set tag on our surfaces
+  * xwayland: Clear the "xwl-window" tag on unrealize
+  * xwayland: correct the type for the discrete scroll events
+  * xkb: fix some possible memleaks in XkbGetKbdByName
+  * xkb: length-check XkbGetKbdByName before accessing the fields
+  * xkb: length-check XkbListComponents before accessing the fields
+  * xkb: proof GetCountedString against request length attacks
+- supersedes security patches:
+  * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
+  * U_xkb-proof-GetCountedString-against-request-length-at.patch
+
 -------------------------------------------------------------------
 Wed Oct 19 11:19:40 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
 

xwayland.spec

@@ -24,7 +24,7 @@
 %endif
 
 Name:           xwayland
-Version:        22.1.3
+Version:        22.1.4
 Release:        0
 URL:            http://xorg.freedesktop.org/
 Summary:        X
@@ -33,8 +33,7 @@ Group:          System/X11/Servers/XF86_4
 Source0:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz
 Source1:        %{url}/archive/individual/xserver/%{name}-%{version}.tar.xz.sig
 Source2:        xwayland.keyring
-Patch1204412:   U_xkb-proof-GetCountedString-against-request-length-at.patch
-Patch1204416:   U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
+Patch0:         U_Do-not-ignore-leave-events.patch
 BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig