- This release contains the following patches mentioned in previous
sle15 releases
* U_Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch:
fixes regression introduced with security update for
CVE-2022-46340 (bsc#1205874)
* U_bsc1216135-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch:
fix handling of PropModeAppend/Prepend ((CVE-2023-5367, ZDI-CAN-22153,
bsc#1216135)
* U_bsc1216261-0001-mi-fix-CloseScreen-initialization-order.patch,
U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch:
Server Damage Object Use-After-Free Local Privilege Escalation
Vulnerability (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)
* U_bsc1216261-0003-dix-always-initialize-pScreen-CloseScreen.patch:
fixes a regresion, which can trigger a segfault in Xwayland on
exit, introduced by
U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch
(CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)
OBS-URL: https://build.opensuse.org/request/show/1128531
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=26
sle15 releases
* U_Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch:
fixes regression introduced with security update for
CVE-2022-46340 (bsc#1205874)
* U_bsc1216135-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch:
fix handling of PropModeAppend/Prepend ((CVE-2023-5367, ZDI-CAN-22153,
bsc#1216135)
* U_bsc1216261-0001-mi-fix-CloseScreen-initialization-order.patch,
U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch:
Server Damage Object Use-After-Free Local Privilege Escalation
Vulnerability (CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)
* U_bsc1216261-0003-dix-always-initialize-pScreen-CloseScreen.patch:
fixes a regresion, which can trigger a segfault in Xwayland on
exit, introduced by
U_bsc1216261-0002-fb-properly-wrap-unwrap-CloseScreen.patch
(CVE-2023-5574, ZDI-CAN-21213, bsc#1216261)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=63
- Update to version 23.2.2
* This release contains the fix for CVE-2023-5367 and CVE-2023-5574
in today's security advisory:
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Xwayland does not support multiple protocol screens (Zaphod) and is thus
not affected by CVE-2023-5380.
* Additionally, there is a change in the default behaviour of Xwayland:
Since version 23.2.0 Xwayland (via liboeffis) automatically tries to
connect to the XDG Desktop Portal's RemoteDesktop interface to obtain
the EI socket. That socket is used to send XTest events to the
compositor.
* However, the connection to the session-wide Portal is unsuitable when
Xwayland is running in a nested compositor. Xwayland cannot tell whether
it's running on a nested compositor and to keep backwards compatibility
with Xwayland prior to 23.2.0, Xwayland must now be started with
"-enable-ei-portal" to connect to the portal.
* Compositors (who typically spawn Xwayland rootless) must now pass this
option to get the same behaviour as 23.2.x.
* Finally, Xwayland now uses libbsd-overlay instead of libbsd.
OBS-URL: https://build.opensuse.org/request/show/1120261
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=25
* This release contains the fix for CVE-2023-5367 in today's security
advisory: https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Xwayland does not support multiple protocol screens (Zaphod) and is thus
not affected by CVE-2023-5380.
* Additionally, there is a change in the default behaviour of Xwayland:
Since version 23.2.0 Xwayland (via liboeffis) automatically tries to
connect to the XDG Desktop Portal's RemoteDesktop interface to obtain
the EI socket. That socket is used to send XTest events to the
compositor.
* However, the connection to the session-wide Portal is unsuitable when
Xwayland is running in a nested compositor. Xwayland cannot tell whether
it's running on a nested compositor and to keep backwards compatibility
with Xwayland prior to 23.2.0, Xwayland must now be started with
"-enable-ei-portal" to connect to the portal.
* Compositors (who typically spawn Xwayland rootless) must now pass this
option to get the same behaviour as 23.2.x.
* Finally, Xwayland now uses libbsd-overlay instead of libbsd.
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=60
* glamor: Ignore destination alpha as necessary for composite operation
* xtest: Check whether there is a sendEventsProc to call
- supersedes xwayland-glamor-Ignore-destination-alpha-as-necessary-for-com.patch
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=58
- enable libei and libdecor only for TW, since it does not exist
yet on sle15-sp5
- Update to version 23.2.0:
* Optional support for emulated input (EI) via the libei library,
support for the tearing control protocol, and the XWayland
rootful mode is now resizable with libdecor.
- Add pkgconfig(libei-1.0) BuildRequires, build new optional
emulated input support.
- Add pkgconfig(libdecor-0) BuildRequires, build optional CSD
support.
OBS-URL: https://build.opensuse.org/request/show/1105976
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=23
- Update to version 23.2.0:
* Optional support for emulated input (EI) via the libei library,
support for the tearing control protocol, and the XWayland
rootful mode is now resizable with libdecor.
- Add pkgconfig(libei-1.0) BuildRequires, build new optional
emulated input support.
- Add pkgconfig(libdecor-0) BuildRequires, build optional CSD
support.
OBS-URL: https://build.opensuse.org/request/show/1104339
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=54
- Update to version 23.1.1 (CVE-2023-1393):
+ This release contains the fix for CVE-2023-1393.
+ xkbUtils: use existing symbol names instead of deleted
deprecated ones
+ glamor: Don't glFlush/ctx switch unless any work has been
performed
+ xwayland:
- Refactor xwl_present_for_each_frame_callback helper
- Prevent nested xwl_present_for_each_frame_callback calls
+ composite: Fix use-after-free of the COW
- Drop U_xserver-composite-Fix-use-after-free-of-the-COW.patch:
Fixed upstream.
OBS-URL: https://build.opensuse.org/request/show/1076649
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=50
- Update to version 22.1.7
* This release fixes an invalid event type mask in
XTestSwapFakeInput which was inadvertently changed from octal
0177 to hexadecimal 0x177 in the fix for CVE-2022-46340.
- Update to version 22.1.6:
* Fixes CVE-2022-46340, CVE-2022-46341, CVE-2022-46342,
CVE-2022-46343, CVE-2022-46344, CVE-2022-4283.
* Xtest: disallow GenericEvents in XTestSwapFakeInput
* Xi: disallow passive grabs with a detail > 255
* Xext: free the XvRTVideoNotify when turning off from the same
client
* Xext: free the screen saver resource when replacing it
* Xi: return an error from XI property changes if verification
failed
* Xi: avoid integer truncation in length check of
ProcXIChangeProperty
* xkb: reset the radio_groups pointer to NULL after freeing it
- Drop patches fixed upstream:
* U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
* U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
* U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
* U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
* U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
* U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
* U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
OBS-URL: https://build.opensuse.org/request/show/1045936
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=18
Please note that I did not find a public key for peter.hutterer@who-t.net that did this release, so the keyring included here is wrong as it is for a different person....
- Update to version 22.1.6:
* Fixes CVE-2022-46340, CVE-2022-46341, CVE-2022-46342,
CVE-2022-46343, CVE-2022-46344, CVE-2022-4283.
* Xtest: disallow GenericEvents in XTestSwapFakeInput
* Xi: disallow passive grabs with a detail > 255
* Xext: free the XvRTVideoNotify when turning off from the same
client
* Xext: free the screen saver resource when replacing it
* Xi: return an error from XI property changes if verification
failed
* Xi: avoid integer truncation in length check of
ProcXIChangeProperty
* xkb: reset the radio_groups pointer to NULL after freeing it
- Drop patches fixed upstream:
* U_0001-Xtest-disallow-GenericEvents-in-XTestSwapFakeInput.patch
* U_0002-Xi-return-an-error-from-XI-property-changes-if-verif.patch
* U_0003-Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
* U_0004-Xi-disallow-passive-grabs-with-a-detail-255.patch
* U_0005-Xext-free-the-screen-saver-resource-when-replacing-i.patch
* U_0006-Xext-free-the-XvRTVideoNotify-when-turning-off-from-.patch
* U_0007-xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
OBS-URL: https://build.opensuse.org/request/show/1043174
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=40
- U_Do-not-ignore-leave-events.patch
* fixes xwayland issue#1397, issue#1395
- Update to version 22.1.4
* xwayland: Aggregate scroll axis events to fix kinetic scrolling
* Forbid server grabs by non-WM on *rootless* XWayland
* xkb: Avoid length-check failure on empty strings.
* ci: remove redundant slash in libxcvt repository url
* dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY
* dix: Fix overzealous caching of ResourceClientBits()
* xwayland: Prevent Xserver grabs with rootless
* xwayland: Delay wl_surface destruction
* build: Bump wayland requirement to 1.18
* xwayland: set tag on our surfaces
* xwayland: Clear the "xwl-window" tag on unrealize
* xwayland: correct the type for the discrete scroll events
* xkb: fix some possible memleaks in XkbGetKbdByName
* xkb: length-check XkbGetKbdByName before accessing the fields
* xkb: length-check XkbListComponents before accessing the fields
* xkb: proof GetCountedString against request length attacks
- supersedes security patches:
* U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
* U_xkb-proof-GetCountedString-against-request-length-at.patch
OBS-URL: https://build.opensuse.org/request/show/1030894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=15
* xwayland: Aggregate scroll axis events to fix kinetic scrolling
* Forbid server grabs by non-WM on *rootless* XWayland
* xkb: Avoid length-check failure on empty strings.
* ci: remove redundant slash in libxcvt repository url
* dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY
* dix: Fix overzealous caching of ResourceClientBits()
* xwayland: Prevent Xserver grabs with rootless
* xwayland: Delay wl_surface destruction
* build: Bump wayland requirement to 1.18
* xwayland: set tag on our surfaces
* xwayland: Clear the "xwl-window" tag on unrealize
* xwayland: correct the type for the discrete scroll events
* xkb: fix some possible memleaks in XkbGetKbdByName
* xkb: length-check XkbGetKbdByName before accessing the fields
* xkb: length-check XkbListComponents before accessing the fields
* xkb: proof GetCountedString against request length attacks
- supersedes security patches:
* U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
* U_xkb-proof-GetCountedString-against-request-length-at.patch
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=33
- Update to version 22.1.3
* os: print <signal handler called> if unw_is_signal_frame()
* os: print registers in the libunwind version of xorg_backtrace()
* xwayland/present: Do not send two idle notify events for flip pixmaps
* xwayland: Fix check logic in sprite_check_lost_focus()
* xwayland: Change randr_output status when call xwl_output_remove()
* xkb: switch to array index loops to moving pointers
* xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
* xkb: add request length validation for XkbSetGeometry
OBS-URL: https://build.opensuse.org/request/show/988657
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xwayland?expand=0&rev=13
* os: print <signal handler called> if unw_is_signal_frame()
* os: print registers in the libunwind version of xorg_backtrace()
* xwayland/present: Do not send two idle notify events for flip pixmaps
* xwayland: Fix check logic in sprite_check_lost_focus()
* xwayland: Change randr_output status when call xwl_output_remove()
* xkb: switch to array index loops to moving pointers
* xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck
* xkb: add request length validation for XkbSetGeometry
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=29
* xwayland: Clear timer_armed in xwl_present_unrealize_window
* xwayland: Always hook up frame_callback_list in xwl_present_queue_vblank
* Xwayland: Do not map the COW by default when rootless
* xwayland/present: Fix use-after-free in xwl_unrealize_window()
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=25
I realize it is to early to push this RC to TW, but perhaps we can have it in the devel repo for now?
- Update to version 22.0.99.901
* DRM lease support
* Enables sRGB fbconfigs in GLX
* Requires libxcvt
* Refactoring of the present code in Xwayland
* Implements support for touchpad gestures
* Support for xfixes's ClientDisconnectMode and optional
terminate delay
- Add pkgconfig(libxcvt) BuildRequires: New dependency.
- Add xwayland.keyring, use url for sources, validate sig.
- Move man pages from devel to main binary package.
- Enable LTO, no longer disable LTO via macro.
OBS-URL: https://build.opensuse.org/request/show/947907
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=22
* Fixes for multiple input validation failures in X server extensions:
+ CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds access (boo#1193030)
+ CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds access (boo#1190487)
+ CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access (boo#1190488)
+ CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access (boo#1190489)
* This release also includes other fixes such as:
+ Store EGLcontext to avoid superfluous eglMakeCurrent() calls
+ Prefer EGLStream with NVIDIA proprietary driver if both GBM and EGLstream are available
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=21
