Stefan Dirsch
ed85a28b3f
* This release contains the fixes for the issues reported in
today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597,
CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601.
* Additionally, it reverts a recent Xkb change to fix an issue
with gamescope.
- Drop patches fixed upstream:
* U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch
* U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch
* U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
* U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch
* U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
* U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch
* U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch
* U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch
* U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch
* U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch
* U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch
* U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch
* U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=100
67 lines
2.2 KiB
Diff
67 lines
2.2 KiB
Diff
From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 20 Jan 2025 16:52:01 +0100
|
|
Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized
|
|
|
|
When changing an alarm, the change mask values are evaluated one after
|
|
the other, changing the trigger values as requested and eventually,
|
|
SyncInitTrigger() is called.
|
|
|
|
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
|
|
the existing sync object.
|
|
|
|
Other changes are then evaluated and may trigger an error and an early
|
|
return, not adding the new sync object.
|
|
|
|
This can be used to cause a use after free when the alarm eventually
|
|
triggers.
|
|
|
|
To avoid the issue, delete the existing sync object as late as possible
|
|
only once we are sure that no further error will cause an early exit.
|
|
|
|
CVE-2025-26601, ZDI-CAN-25870
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/sync.c | 13 ++++++++-----
|
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/Xext/sync.c b/Xext/sync.c
|
|
index b6417b3b0..4267d3af6 100644
|
|
--- a/Xext/sync.c
|
|
+++ b/Xext/sync.c
|
|
@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
client->errorValue = syncObject;
|
|
return rc;
|
|
}
|
|
- if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
|
- SyncDeleteTriggerFromSyncObject(pTrigger);
|
|
- pTrigger->pSync = pSync;
|
|
- newSyncObject = TRUE;
|
|
- }
|
|
}
|
|
|
|
/* if system counter, ask it what the current value is */
|
|
@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
}
|
|
}
|
|
|
|
+ if (changes & XSyncCACounter) {
|
|
+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
|
+ SyncDeleteTriggerFromSyncObject(pTrigger);
|
|
+ pTrigger->pSync = pSync;
|
|
+ newSyncObject = TRUE;
|
|
+ }
|
|
+ }
|
|
+
|
|
/* we wait until we're sure there are no errors before registering
|
|
* a new counter on a trigger
|
|
*/
|
|
--
|
|
2.48.1
|
|
|