>From https://lists.x.org/archives/xorg-announce/2025-October/003635.html:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
(From OE-Core rev: 50b9c34ba932761fab9035a54e58466d72b097bf)
(From OE-Core rev: f5a10c4950ccb5570c72eb0a09618b7b3523bc39)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These are tracked as versionless redhat CVEs in NVD DB.
(From OE-Core rev: 84b1631bcbead1409ff44a1ed430244784c382be)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
For reasons we have explicit xorg.conf files for a number of the qemu
machines, but not all of them. These mainly disabled screen blanking
(which is now down with a separate fragment) but also explictly set the
device driver to fbdev which meant they didn't use the modesettings
driver as they should (with the virtio framebuffer from qemu).
This is the root cause of why the xserver 21.1.16 upgrade doesn't work
on a number of machines: the /sys probing changed and the fbdev driver
now refuses to use the PCI framebuffer device as there are better
drivers, but we've explictly told xorg to use the wrong driver.
For more details, see https://gitlab.freedesktop.org/xorg/xserver/-/issues/1798.
(From OE-Core rev: ccbb0f5491e13d61015872fba93417b91c3213a2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8c8039bf4c2d011e3d12c970ce45036b184902a9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a configuration fragment that disables screen blanking, and add it
to all qemu machines.
(From OE-Core rev: bb16526a4a0c39b6c156edbf68c7377bfdfa0bd1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 780a5ccaa51d5aed18200883a686387e70847e4b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If XvFB is enabled, the CVE_STATUS for CVE-2023-5574 should be
'unpatched' rather than the empty string. Otherwise SDPX checker
complains:
xserver-xorg-2_21.1.13-r0 do_create_spdx: Unknown CVE status
(From OE-Core rev: 9965028d74b3c480f7556d299d616999822b79bf)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ec5dcbdd7c922df25ce90b04902d9c7c749a8c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changes:
render: Avoid possible double-free in ProcRenderAddGlyphs()
mi: fix rounding issues around zero in miPointerSetPosition
(From OE-Core rev: 9c00034001c27a17658ae8ae6a75d0c115a1a16b)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 78dc14599a65075a40c26df4bf9d2bb33a237ca9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable BlankTime, StandbyTime, SuspendTime and OffTime in X default for QEMU images
This fix addresses the issue of Xserver screensaver blanking being enabled on QEMU images by
disabling BlankTime, StandbyTime, SuspendTime, and OffTime in the Xorg default settings for QEMU images.
Reference : https://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html
[YOCTO #15436]
Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 173fb4247fdb2b7b5e6a1a604ddbbc8727b3d3bb)
Signed-off-by: K Sanjay Nayak <nayakksanjay@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xvfb has limited use, so to mitigate CVE-2023-5574 out of the box we can
disable the xvfb PACKAGECONFIG.
(From OE-Core rev: bfbcb28f032b2609f0cd15df70f35353adf326e5)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Xvfb is pretty niche and has outstanding unsolved security issues, so
let people disable it and add a conditional CVE_STATUS to reflect this.
(From OE-Core rev: 5d47474f6eb6b4441154c7de7261f8e0ab47333d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These patches are not yet merged (so they're not backports) because they
have outstanding (undescribed) issues[1]. As this issue only affects
Xvfb and is a use-after-free with only a hypothetical attack, revert the
patches until the compromise is understood.
This reverts commit a193c0224a.
[1] https://lists.x.org/archives/xorg-announce/2023-October/003430.html
(From OE-Core rev: 1ed1c4f48203a8366519b40a094c7d9719c3ae32)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
-present: Send a PresentConfigureNotify event for destroyed windows
-Switch to libbsd-overlay
-Xi/randr: fix handling of PropModeAppend/Prepend
-mi: reset the PointerWindows reference on screen switch
(From OE-Core rev: 82e87caedf84dcf5a933dbfc92718ac1cdd29734)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've been removing PR values from recipes at upgrade time for a while. In general
anyone maintaining a binary distro would end up having to curate these themselves
so the values in OE-Core aren't really that useful anymore. In many ways it makes
sense to clear out the remaining ones (which are mostly for 'config' recipes that
are unlikely to increase in PV) and leave a clean slate for anyone implementing
a binary distro config.
References are left in meta-selftest since the tests there do involve them and
their removal upon upgrade.
(From OE-Core rev: d4c346e8ab8f3cae25d1b01c7331ed9f6d4f96ef)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise, xserver will no longer start when NO_RECOMMENDATIONS = “1”,
because dependencies in XSERVER_RRECOMMENDS are missing.
(From OE-Core rev: bc7bd3953f3896af0db036250cda34bc9ecbb3ac)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade xserver-xorg from 21.1.2 to 21.1.3. And adjust indent as well.
(From OE-Core rev: c32dfebbab45122dc005c1ae9c49dc15a4f350b2)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2011-4613 is specific to Debian/Ubuntu.
CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.
(From OE-Core rev: afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some of the CVEs have x_server as the product name.
(From OE-Core rev: 4d5d63cf8605515bb659b6b732683d7fe6540728)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This wasn't a problem in poky, but was exposed with a nodistro build.
(From OE-Core rev: 0afc9fdb93bb62a78ec6d3aaf870587f52c5a7a4)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Not every option was carried over, drop them accordingly.
(From OE-Core rev: e05abd87ee5d23750c641d0129d9c83db68ee2e8)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxcvt is a new dependency (thanks Oleksandr!).
Include ${libdir}/xorg/modules/input/*.so into the main
package (if for someone separate packaging matters, please
investigate what they do).
Remove options no longer present upstream.
Remove patches available upstream; drop a chunk as well.
(From OE-Core rev: fe501ae1f6bea73882707c944c4fab5c5657a551)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix segfault on probing a non-PCI platform device on a system with PCI.
...
at ../../xorg-server-1.20.9/os/log.c:1017
at ../../xorg-server-1.20.9/os/osinit.c:156
at ../../xorg-server-1.20.9/os/osinit.c:110
at ../../../../xorg-server-1.20.9/hw/xfree86/common/xf86platformBus.c:292
argv=argv@entry=0xffffca43c7c8) at ../../../../xorg-server-1.20.9/hw/xfree86/common/xf86Init.c:388
at ../../xorg-server-1.20.9/dix/main.c:193
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>)
at ../csu/libc-start.c:314
...
Backported from upstream rev e50c85f4e.
(From OE-Core rev: 3b37cbd53219d9c10640b462aa91991d8cbc2a23)
Signed-off-by: Aníbal Limón <anibal.limon@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
