diff --git a/fix-cve-CVE-2025-26594-1.patch b/fix-cve-CVE-2025-26594-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..794db6206f0bab22e76f8de2b8d4f00289cf7b86 --- /dev/null +++ b/fix-cve-CVE-2025-26594-1.patch @@ -0,0 +1,34 @@ +From 9dc8beff846a127cc8754212fb654e5f66dacff4 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 15:49:43 +1000 +Subject: [PATCH xserver 02/13] dix: keep a ref to the rootCursor + +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index b228d9c28..f2606d3d6 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[]) + defaultCursorFont); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26594.patch b/fix-cve-CVE-2025-26594.patch new file mode 100644 index 0000000000000000000000000000000000000000..15a0145fb20e8167dec4d374a7bfd831e1da2204 --- /dev/null +++ b/fix-cve-CVE-2025-26594.patch @@ -0,0 +1,27 @@ +From 42ec29c7fbf8dc797c369d5fe0e4f2e20725332b Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 11:27:05 +0100 +Subject: [PATCH xserver 01/13] Cursor: Refuse to free the root cursor + +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index a33bfaa9e..9654c207e 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26595.patch b/fix-cve-CVE-2025-26595.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e65a16e5c5a192566249701415777d25612d8c3 --- /dev/null +++ b/fix-cve-CVE-2025-26595.patch @@ -0,0 +1,39 @@ +From c0e295af1adca6a0258bb405c535fe04969cc178 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 14:41:45 +0100 +Subject: [PATCH xserver 03/13] xkb: Fix buffer overflow in XkbVModMaskText() + +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index d2a2567fc..002626450 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26596.patch b/fix-cve-CVE-2025-26596.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b1d2a22223d702eeab38a31226f35f4dfd83d91 --- /dev/null +++ b/fix-cve-CVE-2025-26596.patch @@ -0,0 +1,31 @@ +From ddf9500846982402250114803b28180036a54cac Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 11:49:34 +0100 +Subject: [PATCH xserver 04/13] xkb: Fix computation of XkbSizeKeySyms + +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df02..175a81bf7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26597.patch b/fix-cve-CVE-2025-26597.patch new file mode 100644 index 0000000000000000000000000000000000000000..3667117080acca7027740fbc0a600a34f0d08c45 --- /dev/null +++ b/fix-cve-CVE-2025-26597.patch @@ -0,0 +1,24 @@ +From 33dfc78a0f67f4db5558c2374f5a73d262e43671 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 14:09:04 +0100 +Subject: [PATCH xserver 05/13] xkb: Fix buffer overflow in + +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index f17194528..c45471686 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26598.patch b/fix-cve-CVE-2025-26598.patch new file mode 100644 index 0000000000000000000000000000000000000000..e633e2e0e4ac20e82896d619ec49f285049efc9a --- /dev/null +++ b/fix-cve-CVE-2025-26598.patch @@ -0,0 +1,96 @@ +From 475a856c919c8648aaefac9388a7788eed5725fa Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 11:25:11 +0100 +Subject: [PATCH xserver 06/13] Xi: Fix barrier device search + +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 1926762ad..cb336f22b 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -738,6 +751,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26599-1.patch b/fix-cve-CVE-2025-26599-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c8a5fdb45e6f2fbd8ca7bd4733466f46d748d94 --- /dev/null +++ b/fix-cve-CVE-2025-26599-1.patch @@ -0,0 +1,49 @@ +From 9a5a5b2972539ba5ef16dbc802c4eb87c9226d4e Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 16:09:43 +0100 +Subject: [PATCH xserver 08/13] composite: initialize border clip even when + +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 55a1b725a..d1c205ca0 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26599.patch b/fix-cve-CVE-2025-26599.patch new file mode 100644 index 0000000000000000000000000000000000000000..e462144d1f62e9032937a9e547c0a4a9e2d56eff --- /dev/null +++ b/fix-cve-CVE-2025-26599.patch @@ -0,0 +1,40 @@ +From 04d8041534d40e975d11a8a58ea7e8b1f09b519d Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 15:19:45 +0100 +Subject: [PATCH xserver 07/13] composite: Handle failure to redirect in + +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 3e2f14fb0..55a1b725a 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26600.patch b/fix-cve-CVE-2025-26600.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d2ce218c5f5e1b9aba86a1a16505817ae519dbe --- /dev/null +++ b/fix-cve-CVE-2025-26600.patch @@ -0,0 +1,48 @@ +From 470c77ae761a36c71494285009bc37b2abbefe97 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 16:18:04 +0100 +Subject: [PATCH xserver 09/13] dix: Dequeue pending events on frozen device on + +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index e7c74d7b7..11120b70b 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26601-1.patch b/fix-cve-CVE-2025-26601-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..a77061665c5c4adbc012d6dbfe9376475a3884fc --- /dev/null +++ b/fix-cve-CVE-2025-26601-1.patch @@ -0,0 +1,66 @@ +From a4c19259fca5af558fb27d8fa98f2ad4a3689d56 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 16:54:30 +0100 +Subject: [PATCH xserver 11/13] sync: Check values before applying changes + +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index e55295904..66a52283d 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -350,6 +350,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -378,24 +396,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26601-2.patch b/fix-cve-CVE-2025-26601-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..6add0e703a209e14283989d99c2356fc526b8d74 --- /dev/null +++ b/fix-cve-CVE-2025-26601-2.patch @@ -0,0 +1,37 @@ +From 7537745b5fe63d7e43d692bfa86f93259d522c80 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 17:06:07 +0100 +Subject: [PATCH xserver 12/13] sync: Do not fail SyncAddTriggerToSyncObject() + +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 66a52283d..8def4adbf 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26601-3.patch b/fix-cve-CVE-2025-26601-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc91ba26d55846e9df4bc1b90c8c4f71332021bd --- /dev/null +++ b/fix-cve-CVE-2025-26601-3.patch @@ -0,0 +1,114 @@ +From e7bca6a0933b6f0c1568cbe770740c48626f30be Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 17:10:31 +0100 +Subject: [PATCH xserver 13/13] sync: Apply changes last in + +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 8def4adbf..e2f2c2774 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -799,8 +799,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -816,24 +822,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -843,10 +849,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -855,25 +859,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +2.48.1 + diff --git a/fix-cve-CVE-2025-26601.patch b/fix-cve-CVE-2025-26601.patch new file mode 100644 index 0000000000000000000000000000000000000000..efd9fbb97e8a004e5db33793fd89a224f2da6589 --- /dev/null +++ b/fix-cve-CVE-2025-26601.patch @@ -0,0 +1,43 @@ +From 7f7f51e8907b14c6654944e0e321f15e256b34e7 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Mon, 7 Apr 2025 16:52:01 +0100 +Subject: [PATCH xserver 10/13] sync: Do not let sync objects uninitialized + +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index fd2ceb042..e55295904 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -329,11 +329,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -401,6 +396,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +2.48.1 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 314c7a7c3d9ff352a999a4a943de86b9c3896084..909b23d4eba90e820b4d76d607269a1b9657daf3 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -42,7 +42,7 @@ Summary: X.Org X11 X server Name: xorg-x11-server Version: 1.20.4 -Release: 29%{?gitdate:.%{gitdate}}%{?dist} +Release: 30%{?gitdate:.%{gitdate}}%{?dist} URL: http://www.x.org License: MIT Group: User Interface/X @@ -227,6 +227,20 @@ Patch10046: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch Patch10047: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch Patch10048: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch +Patch10049: fix-cve-CVE-2025-26594.patch +Patch10050: fix-cve-CVE-2025-26594-1.patch +Patch10051: fix-cve-CVE-2025-26595.patch +Patch10052: fix-cve-CVE-2025-26596.patch +Patch10053: fix-cve-CVE-2025-26597.patch +Patch10054: fix-cve-CVE-2025-26598.patch +Patch10055: fix-cve-CVE-2025-26599.patch +Patch10056: fix-cve-CVE-2025-26599-1.patch +Patch10057: fix-cve-CVE-2025-26600.patch +Patch10058: fix-cve-CVE-2025-26601.patch +Patch10059: fix-cve-CVE-2025-26601-1.patch +Patch10060: fix-cve-CVE-2025-26601-2.patch +Patch10061: fix-cve-CVE-2025-26601-3.patch + %global moduledir %{_libdir}/xorg/modules %global drimoduledir %{_libdir}/dri %global sdkdir %{_includedir}/xorg @@ -709,6 +723,10 @@ rm -rf $RPM_BUILD_ROOT %{xserver_source_dir} %changelog +* Mon Apr 7 2025 zhuhongbo - 1.20.4-30 +- cve: fix CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 +- CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601 + * Wed Apr 10 2024 José Expósito - 1.20.4-29 - Fix regression caused by the fix for CVE-2024-31083