3 files changed, 157 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch
new file mode 100644
index 0000000000..a3a0bae2d5
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch
@@ -0,0 +1,63 @@
+From 865089ca70840c0f13a61df135f7b44a9782a175 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 15:55:06 +0200
+Subject: [PATCH] xkb: Make the RT_XKBCLIENT resource private
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Currently, the resource in only available to the xkb.c source file.
+In preparation for the next commit, to be able to free the resources
+from XkbRemoveResourceClient(), make that variable private instead.
+This is related to:
+CVE-2025-62230, ZDI-CAN-27545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175]
+CVE: CVE-2025-62230
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ include/xkbsrv.h | 2 ++
+ xkb/xkb.c        | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/include/xkbsrv.h b/include/xkbsrv.h
+index fbb5427e1c..b2766277cf 100644
+--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
+@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include "inputstr.h"
+ #include "events.h"
+ 
+extern RESTYPE RT_XKBCLIENT;
+
+ typedef struct _XkbInterest {
+     DeviceIntPtr dev;
+     ClientPtr client;
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 5131bfcdf7..26d965d482 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode;
+ CARD32 xkbDebugFlags = 0;
+ static CARD32 xkbDebugCtrls = 0;
+ 
+-static RESTYPE RT_XKBCLIENT;
+RESTYPE RT_XKBCLIENT = 0;
+ 
+ /***====================================================================***/
+ 
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch
new file mode 100644
index 0000000000..0e4a69c64e
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch
@@ -0,0 +1,92 @@
+From 87fe2553937a99fd914ad0cde999376a3adc3839 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 15:58:57 +0200
+Subject: [PATCH] xkb: Free the XKB resource when freeing XkbInterest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+XkbRemoveResourceClient() would free the XkbInterest data associated
+with the device, but not the resource associated with it.
+As a result, when the client terminates, the resource delete function
+gets called and accesses already freed memory:
+ | Invalid read of size 8
+ |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
+ |   by 0x5B3391: XkbClientGone (xkb.c:7094)
+ |   by 0x4DF138: doFreeResource (resource.c:890)
+ |   by 0x4DFB50: FreeClientResources (resource.c:1156)
+ |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
+ |   by 0x5E0A53: ClientReady (connection.c:601)
+ |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
+ |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
+ |   by 0x4A1BA5: Dispatch (dispatch.c:491)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
+ |   at 0x4842E43: free (vg_replace_malloc.c:989)
+ |   by 0x49C1A6: CloseDevice (devices.c:1067)
+ |   by 0x49C522: CloseOneDevice (devices.c:1193)
+ |   by 0x49C6E4: RemoveDevice (devices.c:1244)
+ |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
+ |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Block was alloc'd at
+ |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
+ |   by 0x49A118: AddInputDevice (devices.c:262)
+ |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
+ |   by 0x5866EE: add_master (xichangehierarchy.c:153)
+ |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+To avoid that issue, make sure to free the resources when freeing the
+device XkbInterest data.
+CVE-2025-62230, ZDI-CAN-27545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839]
+CVE: CVE-2025-62230
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkbEvents.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
+index 0bbd661867..3d04ecf0c4 100644
+--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
+@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+             autoCtrls = interest->autoCtrls;
+             autoValues = interest->autoCtrlValues;
+             client = interest->client;
+            FreeResource(interest->resource, RT_XKBCLIENT);
+             free(interest);
+             found = TRUE;
+         }
+@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+                 autoCtrls = victim->autoCtrls;
+                 autoValues = victim->autoCtrlValues;
+                 client = victim->client;
+                FreeResource(victim->resource, RT_XKBCLIENT);
+                 free(victim);
+                 found = TRUE;
+             }
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index ba0ed6048e..4fa88fbcff 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -51,6 +51,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-49179.patch \
           file://CVE-2025-49180.patch \
           file://CVE-2025-62229.patch \
+           file://CVE-2025-62230-1.patch \
+           file://CVE-2025-62230-2.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch new file mode 100644 index 0000000000..a3a0bae2d5 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch
@@ -0,0 +1,63 @@
		1	From 865089ca70840c0f13a61df135f7b44a9782a175 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 10 Sep 2025 15:55:06 +0200
		4	Subject: [PATCH] xkb: Make the RT_XKBCLIENT resource private
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Currently, the resource in only available to the xkb.c source file.
		10
		11	In preparation for the next commit, to be able to free the resources
		12	from XkbRemoveResourceClient(), make that variable private instead.
		13
		14	This is related to:
		15
		16	CVE-2025-62230, ZDI-CAN-27545
		17
		18	This vulnerability was discovered by:
		19	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		20
		21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		22	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
		23	(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
		24
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175]
		28	CVE: CVE-2025-62230
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	include/xkbsrv.h \| 2 ++
		32	xkb/xkb.c \| 2 +-
		33	2 files changed, 3 insertions(+), 1 deletion(-)
		34
		35	diff --git a/include/xkbsrv.h b/include/xkbsrv.h
		36	index fbb5427e1c..b2766277cf 100644
		37	--- a/include/xkbsrv.h
		38	+++ b/include/xkbsrv.h
		39	@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
		40	#include "inputstr.h"
		41	#include "events.h"
		42
		43	+extern RESTYPE RT_XKBCLIENT;
		44	+
		45	typedef struct _XkbInterest {
		46	DeviceIntPtr dev;
		47	ClientPtr client;
		48	diff --git a/xkb/xkb.c b/xkb/xkb.c
		49	index 5131bfcdf7..26d965d482 100644
		50	--- a/xkb/xkb.c
		51	+++ b/xkb/xkb.c
		52	@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode;
		53	CARD32 xkbDebugFlags = 0;
		54	static CARD32 xkbDebugCtrls = 0;
		55
		56	-static RESTYPE RT_XKBCLIENT;
		57	+RESTYPE RT_XKBCLIENT = 0;
		58
		59	/*====================================================================*/
		60
		61	--
		62	GitLab
		63


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch new file mode 100644 index 0000000000..0e4a69c64e --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch
@@ -0,0 +1,92 @@
		1	From 87fe2553937a99fd914ad0cde999376a3adc3839 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 10 Sep 2025 15:58:57 +0200
		4	Subject: [PATCH] xkb: Free the XKB resource when freeing XkbInterest
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	XkbRemoveResourceClient() would free the XkbInterest data associated
		10	with the device, but not the resource associated with it.
		11
		12	As a result, when the client terminates, the resource delete function
		13	gets called and accesses already freed memory:
		14
		15	\| Invalid read of size 8
		16	\| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
		17	\| by 0x5B3391: XkbClientGone (xkb.c:7094)
		18	\| by 0x4DF138: doFreeResource (resource.c:890)
		19	\| by 0x4DFB50: FreeClientResources (resource.c:1156)
		20	\| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
		21	\| by 0x5E0A53: ClientReady (connection.c:601)
		22	\| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
		23	\| by 0x5DC834: WaitForSomething (WaitFor.c:206)
		24	\| by 0x4A1BA5: Dispatch (dispatch.c:491)
		25	\| by 0x4B0070: dix_main (main.c:277)
		26	\| by 0x4285E7: main (stubmain.c:34)
		27	\| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
		28	\| at 0x4842E43: free (vg_replace_malloc.c:989)
		29	\| by 0x49C1A6: CloseDevice (devices.c:1067)
		30	\| by 0x49C522: CloseOneDevice (devices.c:1193)
		31	\| by 0x49C6E4: RemoveDevice (devices.c:1244)
		32	\| by 0x5873D4: remove_master (xichangehierarchy.c:348)
		33	\| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
		34	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
		35	\| by 0x4A1D85: Dispatch (dispatch.c:551)
		36	\| by 0x4B0070: dix_main (main.c:277)
		37	\| by 0x4285E7: main (stubmain.c:34)
		38	\| Block was alloc'd at
		39	\| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
		40	\| by 0x49A118: AddInputDevice (devices.c:262)
		41	\| by 0x4A0E58: AllocDevicePair (devices.c:2846)
		42	\| by 0x5866EE: add_master (xichangehierarchy.c:153)
		43	\| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
		44	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
		45	\| by 0x4A1D85: Dispatch (dispatch.c:551)
		46	\| by 0x4B0070: dix_main (main.c:277)
		47	\| by 0x4285E7: main (stubmain.c:34)
		48
		49	To avoid that issue, make sure to free the resources when freeing the
		50	device XkbInterest data.
		51
		52	CVE-2025-62230, ZDI-CAN-27545
		53
		54	This vulnerability was discovered by:
		55	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		56
		57	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		58	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
		59	(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
		60
		61	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2087>
		62
		63	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839]
		64	CVE: CVE-2025-62230
		65	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		66	---
		67	xkb/xkbEvents.c \| 2 ++
		68	1 file changed, 2 insertions(+)
		69
		70	diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
		71	index 0bbd661867..3d04ecf0c4 100644
		72	--- a/xkb/xkbEvents.c
		73	+++ b/xkb/xkbEvents.c
		74	@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
		75	autoCtrls = interest->autoCtrls;
		76	autoValues = interest->autoCtrlValues;
		77	client = interest->client;
		78	+ FreeResource(interest->resource, RT_XKBCLIENT);
		79	free(interest);
		80	found = TRUE;
		81	}
		82	@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
		83	autoCtrls = victim->autoCtrls;
		84	autoValues = victim->autoCtrlValues;
		85	client = victim->client;
		86	+ FreeResource(victim->resource, RT_XKBCLIENT);
		87	free(victim);
		88	found = TRUE;
		89	}
		90	--
		91	GitLab
		92


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index ba0ed6048e..4fa88fbcff 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -51,6 +51,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
51	file://CVE-2025-49179.patch \	51	file://CVE-2025-49179.patch \
52	file://CVE-2025-49180.patch \	52	file://CVE-2025-49180.patch \
53	file://CVE-2025-62229.patch \	53	file://CVE-2025-62229.patch \
		54	file://CVE-2025-62230-1.patch \
		55	file://CVE-2025-62230-2.patch \
54	"	56	"
55	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	57	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
56		58