Your message dated Wed, 29 Oct 2025 14:41:01 +0000
with message-id <[email protected]>
and subject line Bug#1119267: fixed in xorg-server 2:21.1.20-1
has caused the Debian Bug report #1119267,
regarding xorg-server: diff for NMU version 2:21.1.18-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119267
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xorg-server
Version: 2:21.1.18-2
Severity: normal
Tags: patch pending
X-Debbugs-CC: [email protected], [email protected], [email protected],
[email protected], [email protected]
Dear maintainers,
I've prepared an NMU for xorg-server (versioned as 2:21.1.18-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.
But ideally we can have this in unstable before we release the DSAs
for trixie-security and bookworm-security, while Thorsten prepared the
bullseye-security one.
Regards,
Salvatore
diffstat for xorg-server_21.1.18-2 xorg-server_21.1.18-2.1
debian/patches/CVE-2025-62229/0001-present-Fix-use-after-free-in-present_create_notifie.patch | 86 +++++++++
debian/patches/CVE-2025-62230/0001-xkb-Make-the-RT_XKBCLIENT-resource-private.patch | 57 ++++++
debian/patches/CVE-2025-62230/0002-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch | 87 ++++++++++
debian/patches/CVE-2025-62231/0001-xkb-Prevent-overflow-in-XkbSetCompatMap.patch | 47 +++++
xorg-server-21.1.18/debian/changelog | 10 +
xorg-server-21.1.18/debian/patches/series | 4
6 files changed, 291 insertions(+)
diff -u xorg-server-21.1.18/debian/changelog xorg-server-21.1.18/debian/changelog
--- xorg-server-21.1.18/debian/changelog
+++ xorg-server-21.1.18/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:21.1.18-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * present: Fix use-after-free in present_create_notifies() (CVE-2025-62229)
+ * xkb: Make the RT_XKBCLIENT resource private (CVE-2025-62230)
+ * xkb: Free the XKB resource when freeing XkbInterest (CVE-2025-62230)
+ * xkb: Prevent overflow in XkbSetCompatMap() (CVE-2025-62231)
+
+ -- Salvatore Bonaccorso <[email protected]> Mon, 27 Oct 2025 17:44:51 +0100
+
xorg-server (2:21.1.18-2) unstable; urgency=medium
[ NoisyCoil ]
diff -u xorg-server-21.1.18/debian/patches/series xorg-server-21.1.18/debian/patches/series
--- xorg-server-21.1.18/debian/patches/series
+++ xorg-server-21.1.18/debian/patches/series
@@ -2,3 +2,7 @@
05_Revert-Unload-submodules.diff
06_use-intel-only-on-pre-gen4.diff
07_use-modesetting-driver-by-default-on-GeForce.diff
+CVE-2025-62229/0001-present-Fix-use-after-free-in-present_create_notifie.patch
+CVE-2025-62230/0001-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
+CVE-2025-62230/0002-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
+CVE-2025-62231/0001-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
only in patch2:
unchanged:
--- xorg-server-21.1.18.orig/debian/patches/CVE-2025-62229/0001-present-Fix-use-after-free-in-present_create_notifie.patch
+++ xorg-server-21.1.18/debian/patches/CVE-2025-62229/0001-present-Fix-use-after-free-in-present_create_notifie.patch
@@ -0,0 +1,86 @@
+From 4b84491451364a2a9121d43eed6790f5fbcd7046 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <[email protected]>
+Date: Wed, 2 Jul 2025 09:46:22 +0200
+Subject: [PATCH xserver 1/4] present: Fix use-after-free in
+ present_create_notifies()
+
+Using the Present extension, if an error occurs while processing and
+adding the notifications after presenting a pixmap, the function
+present_create_notifies() will clean up and remove the notifications
+it added.
+
+However, there are two different code paths that can lead to an error
+creating the notify, one being before the notify is being added to the
+list, and another one after the notify is added.
+
+When the error occurs before it's been added, it removes the elements up
+to the last added element, instead of the actual number of elements
+which were added.
+
+As a result, in case of error, as with an invalid window for example, it
+leaves a dangling pointer to the last element, leading to a use after
+free case later:
+
+ | Invalid write of size 8
+ | at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
+ | by 0x534A56: present_destroy_window (present_screen.c:107)
+ | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
+ | by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
+ | by 0x51EAC4: damageDestroyWindow (damage.c:1592)
+ | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
+ | by 0x4EAC55: FreeWindowResources (window.c:1023)
+ | by 0x4EAF59: DeleteWindow (window.c:1091)
+ | by 0x4DE59A: doFreeResource (resource.c:890)
+ | by 0x4DEFB2: FreeClientResources (resource.c:1156)
+ | by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
+ | by 0x5DCC78: ClientReady (connection.c:603)
+ | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
+ | at 0x4841E43: free (vg_replace_malloc.c:989)
+ | by 0x5363DD: present_destroy_notifies (present_notify.c:111)
+ | by 0x53638D: present_create_notifies (present_notify.c:100)
+ | by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ | by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ | by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ | by 0x4A1E4E: Dispatch (dispatch.c:561)
+ | by 0x4B00F1: dix_main (main.c:284)
+ | by 0x42879D: main (stubmain.c:34)
+ | Block was alloc'd at
+ | at 0x48463F3: calloc (vg_replace_malloc.c:1675)
+ | by 0x5362A1: present_create_notifies (present_notify.c:81)
+ | by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
+ | by 0x536A7D: proc_present_pixmap (present_request.c:189)
+ | by 0x536FA9: proc_present_dispatch (present_request.c:337)
+ | by 0x4A1E4E: Dispatch (dispatch.c:561)
+ | by 0x4B00F1: dix_main (main.c:284)
+ | by 0x42879D: main (stubmain.c:34)
+
+To fix the issue, count and remove the actual number of notify elements
+added in case of error.
+
+ZDI-CAN-27238
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <[email protected]>
+(cherry picked from commit 6dd511a2d7a7c158fa6056dd7f60b3dbe4e334fc)
+---
+ present/present_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/present/present_notify.c b/present/present_notify.c
+index 445954998..00b3b68bd 100644
+--- a/present/present_notify.c
++++ b/present/present_notify.c
+@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
+ if (status != Success)
+ goto bail;
+
+- added = i;
++ added++;
+ }
+ return Success;
+
+--
+2.51.1
+
only in patch2:
unchanged:
--- xorg-server-21.1.18.orig/debian/patches/CVE-2025-62230/0001-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
+++ xorg-server-21.1.18/debian/patches/CVE-2025-62230/0001-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
@@ -0,0 +1,57 @@
+From dfbccbeeb08dd16a217f0c31df2c53da3ddc293f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <[email protected]>
+Date: Wed, 10 Sep 2025 15:55:06 +0200
+Subject: [PATCH xserver 2/4] xkb: Make the RT_XKBCLIENT resource private
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently, the resource in only available to the xkb.c source file.
+
+In preparation for the next commit, to be able to free the resources
+from XkbRemoveResourceClient(), make that variable private instead.
+
+This is related to:
+
+ZDI-CAN-27545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <[email protected]>
+Reviewed-by: Michel Dänzer <[email protected]>
+(cherry picked from commit 5af12dc7f33d9e8f92dcfcdc5e14202c19ad7be2)
+---
+ include/xkbsrv.h | 2 ++
+ xkb/xkb.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/xkbsrv.h b/include/xkbsrv.h
+index fbb5427e1..b2766277c 100644
+--- a/include/xkbsrv.h
++++ b/include/xkbsrv.h
+@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include "inputstr.h"
+ #include "events.h"
+
++extern RESTYPE RT_XKBCLIENT;
++
+ typedef struct _XkbInterest {
+ DeviceIntPtr dev;
+ ClientPtr client;
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 5131bfcdf..26d965d48 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode;
+ CARD32 xkbDebugFlags = 0;
+ static CARD32 xkbDebugCtrls = 0;
+
+-static RESTYPE RT_XKBCLIENT;
++RESTYPE RT_XKBCLIENT = 0;
+
+ /***====================================================================***/
+
+--
+2.51.1
+
only in patch2:
unchanged:
--- xorg-server-21.1.18.orig/debian/patches/CVE-2025-62230/0002-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
+++ xorg-server-21.1.18/debian/patches/CVE-2025-62230/0002-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
@@ -0,0 +1,87 @@
+From 9284bacbf52641ed70e445dfb02bf361f27ff62f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <[email protected]>
+Date: Wed, 10 Sep 2025 15:58:57 +0200
+Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
+ XkbInterest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+XkbRemoveResourceClient() would free the XkbInterest data associated
+with the device, but not the resource associated with it.
+
+As a result, when the client terminates, the resource delete function
+gets called and accesses already freed memory:
+
+ | Invalid read of size 8
+ | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
+ | by 0x5B3391: XkbClientGone (xkb.c:7094)
+ | by 0x4DF138: doFreeResource (resource.c:890)
+ | by 0x4DFB50: FreeClientResources (resource.c:1156)
+ | by 0x4A9A59: CloseDownClient (dispatch.c:3550)
+ | by 0x5E0A53: ClientReady (connection.c:601)
+ | by 0x5E4FEF: ospoll_wait (ospoll.c:657)
+ | by 0x5DC834: WaitForSomething (WaitFor.c:206)
+ | by 0x4A1BA5: Dispatch (dispatch.c:491)
+ | by 0x4B0070: dix_main (main.c:277)
+ | by 0x4285E7: main (stubmain.c:34)
+ | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
+ | at 0x4842E43: free (vg_replace_malloc.c:989)
+ | by 0x49C1A6: CloseDevice (devices.c:1067)
+ | by 0x49C522: CloseOneDevice (devices.c:1193)
+ | by 0x49C6E4: RemoveDevice (devices.c:1244)
+ | by 0x5873D4: remove_master (xichangehierarchy.c:348)
+ | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
+ | by 0x579BF1: ProcIDispatch (extinit.c:390)
+ | by 0x4A1D85: Dispatch (dispatch.c:551)
+ | by 0x4B0070: dix_main (main.c:277)
+ | by 0x4285E7: main (stubmain.c:34)
+ | Block was alloc'd at
+ | at 0x48473F3: calloc (vg_replace_malloc.c:1675)
+ | by 0x49A118: AddInputDevice (devices.c:262)
+ | by 0x4A0E58: AllocDevicePair (devices.c:2846)
+ | by 0x5866EE: add_master (xichangehierarchy.c:153)
+ | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
+ | by 0x579BF1: ProcIDispatch (extinit.c:390)
+ | by 0x4A1D85: Dispatch (dispatch.c:551)
+ | by 0x4B0070: dix_main (main.c:277)
+ | by 0x4285E7: main (stubmain.c:34)
+
+To avoid that issue, make sure to free the resources when freeing the
+device XkbInterest data.
+
+ZDI-CAN-27545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <[email protected]>
+Reviewed-by: Michel Dänzer <[email protected]>
+(cherry picked from commit 5a6d82bfb305e99ff6a531f5166457e674b2f861)
+---
+ xkb/xkbEvents.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
+index 0bbd66186..3d04ecf0c 100644
+--- a/xkb/xkbEvents.c
++++ b/xkb/xkbEvents.c
+@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+ autoCtrls = interest->autoCtrls;
+ autoValues = interest->autoCtrlValues;
+ client = interest->client;
++ FreeResource(interest->resource, RT_XKBCLIENT);
+ free(interest);
+ found = TRUE;
+ }
+@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+ autoCtrls = victim->autoCtrls;
+ autoValues = victim->autoCtrlValues;
+ client = victim->client;
++ FreeResource(victim->resource, RT_XKBCLIENT);
+ free(victim);
+ found = TRUE;
+ }
+--
+2.51.1
+
only in patch2:
unchanged:
--- xorg-server-21.1.18.orig/debian/patches/CVE-2025-62231/0001-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
+++ xorg-server-21.1.18/debian/patches/CVE-2025-62231/0001-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
@@ -0,0 +1,47 @@
+From 0a5ef7ab659f9402126617c351ced12dec7b84df Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <[email protected]>
+Date: Wed, 10 Sep 2025 16:30:29 +0200
+Subject: [PATCH xserver 4/4] xkb: Prevent overflow in XkbSetCompatMap()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The XkbCompatMap structure stores its "num_si" and "size_si" fields
+using an unsigned short.
+
+However, the function _XkbSetCompatMap() will store the sum of the
+input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
+"size_si" without first checking if the sum overflows the maximum
+unsigned short value, leading to a possible overflow.
+
+To avoid the issue, check whether the sum does not exceed the maximum
+unsigned short value, or return a "BadValue" error otherwise.
+
+ZDI-CAN-27560
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <[email protected]>
+Reviewed-by: Michel Dänzer <[email protected]>
+(cherry picked from commit c1c652fd1948dd9d6b8cba0733981dfa21e4af4c)
+---
+ xkb/xkb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 26d965d48..137d70da2 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
+ XkbSymInterpretPtr sym;
+ unsigned int skipped = 0;
+
++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
++ return BadValue;
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
+ compat->sym_interpret = reallocarray(compat->sym_interpret,
+--
+2.51.1
+
--- End Message ---
--- Begin Message ---
Source: xorg-server
Source-Version: 2:21.1.20-1
Done: Emilio Pozuelo Monfort <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated xorg-server
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Oct 2025 11:09:04 +0100
Source: xorg-server
Built-For-Profiles: noudeb pkg.linux.nosource pkg.linux.nokerneldbg
pkg.linux.nokerneldbginfo
Architecture: source
Version: 2:21.1.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Closes: 1119267
Changes:
xorg-server (2:21.1.20-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1119267)
* CVE-2025-62229: Use-after-free in XPresentNotify structures creation
* CVE-2025-62230: Use-after-free in Xkb client resource removal
* CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap
Checksums-Sha1:
a8d256dbec1c797a3573e856df2972bd16a408b0 4041 xorg-server_21.1.20-1.dsc
29f19c137a6ab38bb12680fcb2ae384e5d8ac5a5 9012841
xorg-server_21.1.20.orig.tar.gz
90d9e63927198202a99be7db544b0b55df1e8d1f 178298 xorg-server_21.1.20-1.diff.gz
493d790407f5292e8b21f294e2bdfc18a901f347 13676
xorg-server_21.1.20-1_amd64.buildinfo
Checksums-Sha256:
a01733b2afeb1f297a21414ef06527fc1d1c2291385bf552ba318b00f2fe7df5 4041
xorg-server_21.1.20-1.dsc
a51aea1cbb29cb8122e39c1c8728469d4fd8db71a538565fbf017df11841bf04 9012841
xorg-server_21.1.20.orig.tar.gz
4e0ca0d426837ddf1c1afced47fb6423a98b007880d5351dc7b4d26db300564a 178298
xorg-server_21.1.20-1.diff.gz
834d0b02f7a22fe96464f7b20e02eaf19345cc1d3365d22959c57a63da973359 13676
xorg-server_21.1.20-1_amd64.buildinfo
Files:
a3e86b47e8c6f9758bc3b121971058d3 4041 x11 optional xorg-server_21.1.20-1.dsc
7914cf72b05fefd36abc63bec8d94f54 9012841 x11 optional
xorg-server_21.1.20.orig.tar.gz
2484256e28c0a23011b9fec4148ebc77 178298 x11 optional
xorg-server_21.1.20-1.diff.gz
ed57cccd2793f8bd7a54c022e73e8c76 13676 x11 optional
xorg-server_21.1.20-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmkCIXcACgkQnUbEiOQ2
gwKvAw/+JyK6oNp/hSpO/pja4fk/1DJ2rx1QqpMmJ0nccTUezLI66gfp1BLBVf7Y
bp1NCLgueJXbVeEIGQbzwcqkD0zDxN+vrW8SZ+qOx4VZtYIbp8DqtWWIfaxiRRQF
by6+vvx6fuvRg5s733To9f4XKR5l7QzKAW32EwnkHRIHnOoAFylRVCEqvnN+kxWA
lVBrKaa5MMDPMWJstEjCjp+68aiUm4lJ4raK6taphWlqOWGImr0g+INryEyWavCJ
b0+3gl3M1mPjCg0l4h5sC1xSB8pCA3W6i2AFQaOdRX+5yzxA987Q+5ZAgfLzWmH2
ohtjPLAkXOYZt7DNHvQDQywajBzA6O6Dj40seqP8fMWMmMCEv2zacF9P62NOT3Om
Jsnc0Buz/wLwGlsKmsu08BUgHizbeciTruHAI8DOToKTxQUvmLgYPusqOjusOKWN
mmUlnQs6PmLY/8bNKLHyPjWA0Nv+2j2Izk4cLJcdScb9Clxnmu8um6uUR+Y44ouk
LF+NhtQp53OqIx/oJVYX6NfSKnaeRVFqTC9WbtCJiIp6JiL1w130gozy1dqm4xad
tNnP+id4PcCWGqrlDugQVXDeaKXORGuMrM117frn1UA3Pykdo7wmR02ai7I6udkq
iiZfoXuet+mW3xyue7xHNvbJxnfCUYBS1gp0Rt1To+B4tszcbfE=
=k4U7
-----END PGP SIGNATURE-----
pgpXqSZM4sQqj.pgp
Description: PGP signature
--- End Message ---
