The poky repository master branch is no longer being updated.

You can either: a) switch to individual clones of bitbake, openembedded-core, meta-yocto and yocto-docs b) use the new bitbake-setup You can find information about either approach in our documentation: https://docs.yoctoproject.org/ Note that "poky" the distro setting is still available in meta-yocto as before and we continue to use and maintain that. Long live Poky! Some further information on the background of this change can be found in: https://lists.openembedded.org/g/openembedded-architecture/message/2179 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-11-07 13:31:53 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-11-07 13:31:53 +0000
commit: 8c22ff0d8b70d9b12f0487ef696a7e915b9e3173 (patch)
tree: efdc32587159d0050a69009bdf2330a531727d95 /meta/recipes-graphics/xwayland
parent: d412d2747595c1cc4a5e3ca975e3adc31b2f7891 (diff)
download: poky-8c22ff0d8b70d9b12f0487ef696a7e915b9e3173.tar.gz
5 files changed, 0 insertions, 354 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch b/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch
deleted file mode 100644
index c2f6ad1e02..0000000000
--- a/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From a2d7bd5fefecfc4315247902b7f03e8bf9866908 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Wed, 2 Jul 2025 09:46:22 +0200
-Subject: [PATCH 1/4] present: Fix use-after-free in present_create_notifies()
-Using the Present extension, if an error occurs while processing and
-adding the notifications after presenting a pixmap, the function
-present_create_notifies() will clean up and remove the notifications
-it added.
-However, there are two different code paths that can lead to an error
-creating the notify, one being before the notify is being added to the
-list, and another one after the notify is added.
-When the error occurs before it's been added, it removes the elements up
-to the last added element, instead of the actual number of elements
-which were added.
-As a result, in case of error, as with an invalid window for example, it
-leaves a dangling pointer to the last element, leading to a use after
-free case later:
- |  Invalid write of size 8
- |     at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
- |     by 0x534A56: present_destroy_window (present_screen.c:107)
- |     by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
- |     by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
- |     by 0x51EAC4: damageDestroyWindow (damage.c:1592)
- |     by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
- |     by 0x4EAC55: FreeWindowResources (window.c:1023)
- |     by 0x4EAF59: DeleteWindow (window.c:1091)
- |     by 0x4DE59A: doFreeResource (resource.c:890)
- |     by 0x4DEFB2: FreeClientResources (resource.c:1156)
- |     by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
- |     by 0x5DCC78: ClientReady (connection.c:603)
- |   Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
- |     at 0x4841E43: free (vg_replace_malloc.c:989)
- |     by 0x5363DD: present_destroy_notifies (present_notify.c:111)
- |     by 0x53638D: present_create_notifies (present_notify.c:100)
- |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
- |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
- |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
- |     by 0x4A1E4E: Dispatch (dispatch.c:561)
- |     by 0x4B00F1: dix_main (main.c:284)
- |     by 0x42879D: main (stubmain.c:34)
- |   Block was alloc'd at
- |     at 0x48463F3: calloc (vg_replace_malloc.c:1675)
- |     by 0x5362A1: present_create_notifies (present_notify.c:81)
- |     by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
- |     by 0x536A7D: proc_present_pixmap (present_request.c:189)
- |     by 0x536FA9: proc_present_dispatch (present_request.c:337)
- |     by 0x4A1E4E: Dispatch (dispatch.c:561)
- |     by 0x4B00F1: dix_main (main.c:284)
- |     by 0x42879D: main (stubmain.c:34)
-To fix the issue, count and remove the actual number of notify elements
-added in case of error.
-CVE-2025-62229, ZDI-CAN-27238
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
-CVE: CVE-2025-62229
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
---
- present/present_notify.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/present/present_notify.c b/present/present_notify.c
-index 445954998..00b3b68bd 100644
--- a/present/present_notify.c
-+++ b/present/present_notify.c
-@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
-         if (status != Success)
-             goto bail;
- 
-        added = i;
-+        added++;
-     }
-     return Success;
- 
-- 
-2.43.0
diff --git a/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch b/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
deleted file mode 100644
index 61369d789c..0000000000
--- a/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 539bca9e0d05ce995a936c4bdf90bc716510d2a7 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Wed, 10 Sep 2025 15:55:06 +0200
-Subject: [PATCH 2/4] xkb: Make the RT_XKBCLIENT resource private
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Currently, the resource in only available to the xkb.c source file.
-In preparation for the next commit, to be able to free the resources
-from XkbRemoveResourceClient(), make that variable private instead.
-This is related to:
-CVE-2025-62230, ZDI-CAN-27545
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
-(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
-CVE: CVE-2025-62230
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
---
- include/xkbsrv.h | 2 ++
- xkb/xkb.c        | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-diff --git a/include/xkbsrv.h b/include/xkbsrv.h
-index bd747856b..d801cd4b8 100644
--- a/include/xkbsrv.h
-+++ b/include/xkbsrv.h
-@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include "inputstr.h"
- #include "events.h"
- 
-+extern RESTYPE RT_XKBCLIENT;
-+
- typedef struct _XkbInterest {
-     DeviceIntPtr dev;
-     ClientPtr client;
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index ac154e200..6c102af0a 100644
--- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode;
- CARD32 xkbDebugFlags = 0;
- static CARD32 xkbDebugCtrls = 0;
- 
-static RESTYPE RT_XKBCLIENT;
-+RESTYPE RT_XKBCLIENT = 0;
- 
- /***====================================================================***/
- 
-- 
-2.43.0
diff --git a/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch b/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
deleted file mode 100644
index 76e50cfad9..0000000000
--- a/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From a7e9938b621e16677c6330306a45baba0495ea31 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Wed, 10 Sep 2025 15:58:57 +0200
-Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-XkbRemoveResourceClient() would free the XkbInterest data associated
-with the device, but not the resource associated with it.
-As a result, when the client terminates, the resource delete function
-gets called and accesses already freed memory:
- | Invalid read of size 8
- |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
- |   by 0x5B3391: XkbClientGone (xkb.c:7094)
- |   by 0x4DF138: doFreeResource (resource.c:890)
- |   by 0x4DFB50: FreeClientResources (resource.c:1156)
- |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
- |   by 0x5E0A53: ClientReady (connection.c:601)
- |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
- |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
- |   by 0x4A1BA5: Dispatch (dispatch.c:491)
- |   by 0x4B0070: dix_main (main.c:277)
- |   by 0x4285E7: main (stubmain.c:34)
- | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
- |   at 0x4842E43: free (vg_replace_malloc.c:989)
- |   by 0x49C1A6: CloseDevice (devices.c:1067)
- |   by 0x49C522: CloseOneDevice (devices.c:1193)
- |   by 0x49C6E4: RemoveDevice (devices.c:1244)
- |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
- |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
- |   by 0x579BF1: ProcIDispatch (extinit.c:390)
- |   by 0x4A1D85: Dispatch (dispatch.c:551)
- |   by 0x4B0070: dix_main (main.c:277)
- |   by 0x4285E7: main (stubmain.c:34)
- | Block was alloc'd at
- |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
- |   by 0x49A118: AddInputDevice (devices.c:262)
- |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
- |   by 0x5866EE: add_master (xichangehierarchy.c:153)
- |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
- |   by 0x579BF1: ProcIDispatch (extinit.c:390)
- |   by 0x4A1D85: Dispatch (dispatch.c:551)
- |   by 0x4B0070: dix_main (main.c:277)
- |   by 0x4285E7: main (stubmain.c:34)
-To avoid that issue, make sure to free the resources when freeing the
-device XkbInterest data.
-CVE-2025-62230, ZDI-CAN-27545
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
-(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
-CVE: CVE-2025-62230
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
---
- xkb/xkbEvents.c | 2 ++
- 1 file changed, 2 insertions(+)
-diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
-index f8f65d4a7..7c669c93e 100644
--- a/xkb/xkbEvents.c
-+++ b/xkb/xkbEvents.c
-@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
-             autoCtrls = interest->autoCtrls;
-             autoValues = interest->autoCtrlValues;
-             client = interest->client;
-+            FreeResource(interest->resource, RT_XKBCLIENT);
-             free(interest);
-             found = TRUE;
-         }
-@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
-                 autoCtrls = victim->autoCtrls;
-                 autoValues = victim->autoCtrlValues;
-                 client = victim->client;
-+                FreeResource(victim->resource, RT_XKBCLIENT);
-                 free(victim);
-                 found = TRUE;
-             }
-- 
-2.43.0
diff --git a/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch b/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
deleted file mode 100644
index 27c8f6c809..0000000000
--- a/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 70dfb0fb993655b0989d54e3bffc4e62c5629392 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Wed, 10 Sep 2025 16:30:29 +0200
-Subject: [PATCH 4/4] xkb: Prevent overflow in XkbSetCompatMap()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-The XkbCompatMap structure stores its "num_si" and "size_si" fields
-using an unsigned short.
-However, the function _XkbSetCompatMap() will store the sum of the
-input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
-"size_si" without first checking if the sum overflows the maximum
-unsigned short value, leading to a possible overflow.
-To avoid the issue, check whether the sum does not exceed the maximum
-unsigned short value, or return a "BadValue" error otherwise.
-CVE-2025-62231, ZDI-CAN-27560
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
-(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
-CVE: CVE-2025-62231
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
---
- xkb/xkb.c | 2 ++
- 1 file changed, 2 insertions(+)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 6c102af0a..a77fe7ff0 100644
--- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
-         XkbSymInterpretPtr sym;
-         unsigned int skipped = 0;
- 
-+        if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
-+            return BadValue;
-         if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
-             compat->num_si = compat->size_si = req->firstSI + req->nSI;
-             compat->sym_interpret = reallocarray(compat->sym_interpret,
-- 
-2.43.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb
deleted file mode 100644
index af4bb73499..0000000000
--- a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb
+++ /dev/null
@@ -1,55 +0,0 @@
-SUMMARY = "XWayland is an X Server that runs under Wayland."
-DESCRIPTION = "XWayland is an X Server running as a Wayland client, \
-and thus is capable of displaying native X11 client applications in a \
-Wayland compositor environment. The goal of XWayland is to facilitate \
-the transition from X Window System to Wayland environments, providing \
-a way to run unported applications in the meantime."
-HOMEPAGE = "https://fedoraproject.org/wiki/Changes/XwaylandStandalone"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
-SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
-           file://0001-present-Fix-use-after-free-in-present_create_notifie.patch \
-           file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \
-           file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \
-           file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \
-           "
-SRC_URI[sha256sum] = "c8908d57c8ed9ceb8293c16ba7ad5af522efaf1ba7e51f9e4cf3c0774d199907"
-UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
-inherit meson features_check pkgconfig
-REQUIRED_DISTRO_FEATURES = "x11 opengl"
-DEPENDS += "xorgproto xtrans pixman libxkbfile libxfont2 wayland wayland-native wayland-protocols libdrm libepoxy libxcvt libtirpc"
-OPENGL_PKGCONFIGS = "glx glamor dri3"
-PACKAGECONFIG ??= "${XORG_CRYPTO} ${XWAYLAND_EI} \
-                   ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', '${OPENGL_PKGCONFIGS}', '', d)} \
-"
-PACKAGECONFIG[dri3] = "-Ddri3=true,-Ddri3=false,libxshmfence"
-PACKAGECONFIG[libdecor] = "-Dlibdecor=true,-Dlibdecor=false,libdecor"
-PACKAGECONFIG[glx] = "-Dglx=true,-Dglx=false,virtual/libgl virtual/libx11"
-PACKAGECONFIG[glamor] = "-Dglamor=true,-Dglamor=false,libepoxy virtual/libgbm,libegl"
-PACKAGECONFIG[unwind] = "-Dlibunwind=true,-Dlibunwind=false,libunwind"
-PACKAGECONFIG[xinerama] = "-Dxinerama=true,-Dxinerama=false"
-# Xorg requires a SHA1 implementation, pick one
-XORG_CRYPTO ??= "openssl"
-PACKAGECONFIG[openssl] = "-Dsha1=libcrypto,,openssl"
-PACKAGECONFIG[nettle] = "-Dsha1=libnettle,,nettle"
-PACKAGECONFIG[gcrypt] = "-Dsha1=libgcrypt,,libgcrypt"
-XWAYLAND_EI ??= "xwayland_ei_false"
-PACKAGECONFIG[xwayland_ei_false] = "-Dxwayland_ei=false"
-PACKAGECONFIG[xwayland_ei_portal] = "-Dxwayland_ei=portal,,libei"
-PACKAGECONFIG[xwayland_ei_socket] = "-Dxwayland_ei=socket,,libei"
-do_install:append() {
-    # remove files not needed and clashing with xserver-xorg
-    rm -rf ${D}/${libdir}/xorg/
-}
-FILES:${PN} += "${libdir}/xorg/protocol.txt"
-RDEPENDS:${PN} += "xkbcomp ${@bb.utils.contains("DISTRO_FEATURES", "systemd", "", "x11-volatiles", d)}"
author	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-11-07 13:31:53 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-11-07 13:31:53 +0000
commit	8c22ff0d8b70d9b12f0487ef696a7e915b9e3173 (patch)
tree	efdc32587159d0050a69009bdf2330a531727d95 /meta/recipes-graphics/xwayland
parent	d412d2747595c1cc4a5e3ca975e3adc31b2f7891 (diff)
download	poky-8c22ff0d8b70d9b12f0487ef696a7e915b9e3173.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch b/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch deleted file mode 100644 index c2f6ad1e02..0000000000 --- a/meta/recipes-graphics/xwayland/xwayland/0001-present-Fix-use-after-free-in-present_create_notifie.patch +++ /dev/null
@@ -1,91 +0,0 @@
1	From a2d7bd5fefecfc4315247902b7f03e8bf9866908 Mon Sep 17 00:00:00 2001
2	From: Olivier Fourdan <ofourdan@redhat.com>
3	Date: Wed, 2 Jul 2025 09:46:22 +0200
4	Subject: [PATCH 1/4] present: Fix use-after-free in present_create_notifies()
5
6	Using the Present extension, if an error occurs while processing and
7	adding the notifications after presenting a pixmap, the function
8	present_create_notifies() will clean up and remove the notifications
9	it added.
10
11	However, there are two different code paths that can lead to an error
12	creating the notify, one being before the notify is being added to the
13	list, and another one after the notify is added.
14
15	When the error occurs before it's been added, it removes the elements up
16	to the last added element, instead of the actual number of elements
17	which were added.
18
19	As a result, in case of error, as with an invalid window for example, it
20	leaves a dangling pointer to the last element, leading to a use after
21	free case later:
22
23	\| Invalid write of size 8
24	\| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
25	\| by 0x534A56: present_destroy_window (present_screen.c:107)
26	\| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
27	\| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
28	\| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
29	\| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
30	\| by 0x4EAC55: FreeWindowResources (window.c:1023)
31	\| by 0x4EAF59: DeleteWindow (window.c:1091)
32	\| by 0x4DE59A: doFreeResource (resource.c:890)
33	\| by 0x4DEFB2: FreeClientResources (resource.c:1156)
34	\| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
35	\| by 0x5DCC78: ClientReady (connection.c:603)
36	\| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
37	\| at 0x4841E43: free (vg_replace_malloc.c:989)
38	\| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
39	\| by 0x53638D: present_create_notifies (present_notify.c:100)
40	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
41	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
42	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
43	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
44	\| by 0x4B00F1: dix_main (main.c:284)
45	\| by 0x42879D: main (stubmain.c:34)
46	\| Block was alloc'd at
47	\| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
48	\| by 0x5362A1: present_create_notifies (present_notify.c:81)
49	\| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
50	\| by 0x536A7D: proc_present_pixmap (present_request.c:189)
51	\| by 0x536FA9: proc_present_dispatch (present_request.c:337)
52	\| by 0x4A1E4E: Dispatch (dispatch.c:561)
53	\| by 0x4B00F1: dix_main (main.c:284)
54	\| by 0x42879D: main (stubmain.c:34)
55
56	To fix the issue, count and remove the actual number of notify elements
57	added in case of error.
58
59	CVE-2025-62229, ZDI-CAN-27238
60
61	This vulnerability was discovered by:
62	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
63
64	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
65	(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
66
67	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
68
69	CVE: CVE-2025-62229
70	Upstream-Status: Backport
71	Signed-off-by: Ross Burton <ross.burton@arm.com>
72	---
73	present/present_notify.c \| 2 +-
74	1 file changed, 1 insertion(+), 1 deletion(-)
75
76	diff --git a/present/present_notify.c b/present/present_notify.c
77	index 445954998..00b3b68bd 100644
78	--- a/present/present_notify.c
79	+++ b/present/present_notify.c
80	@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
81	if (status != Success)
82	goto bail;
83
84	- added = i;
85	+ added++;
86	}
87	return Success;
88
89	--
90	2.43.0
91


diff --git a/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch b/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch deleted file mode 100644 index 61369d789c..0000000000 --- a/meta/recipes-graphics/xwayland/xwayland/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch +++ /dev/null
@@ -1,63 +0,0 @@
1	From 539bca9e0d05ce995a936c4bdf90bc716510d2a7 Mon Sep 17 00:00:00 2001
2	From: Olivier Fourdan <ofourdan@redhat.com>
3	Date: Wed, 10 Sep 2025 15:55:06 +0200
4	Subject: [PATCH 2/4] xkb: Make the RT_XKBCLIENT resource private
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	Currently, the resource in only available to the xkb.c source file.
10
11	In preparation for the next commit, to be able to free the resources
12	from XkbRemoveResourceClient(), make that variable private instead.
13
14	This is related to:
15
16	CVE-2025-62230, ZDI-CAN-27545
17
18	This vulnerability was discovered by:
19	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
20
21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
22	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
23	(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
24
25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
26
27	CVE: CVE-2025-62230
28	Upstream-Status: Backport
29	Signed-off-by: Ross Burton <ross.burton@arm.com>
30	---
31	include/xkbsrv.h \| 2 ++
32	xkb/xkb.c \| 2 +-
33	2 files changed, 3 insertions(+), 1 deletion(-)
34
35	diff --git a/include/xkbsrv.h b/include/xkbsrv.h
36	index bd747856b..d801cd4b8 100644
37	--- a/include/xkbsrv.h
38	+++ b/include/xkbsrv.h
39	@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
40	#include "inputstr.h"
41	#include "events.h"
42
43	+extern RESTYPE RT_XKBCLIENT;
44	+
45	typedef struct _XkbInterest {
46	DeviceIntPtr dev;
47	ClientPtr client;
48	diff --git a/xkb/xkb.c b/xkb/xkb.c
49	index ac154e200..6c102af0a 100644
50	--- a/xkb/xkb.c
51	+++ b/xkb/xkb.c
52	@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode;
53	CARD32 xkbDebugFlags = 0;
54	static CARD32 xkbDebugCtrls = 0;
55
56	-static RESTYPE RT_XKBCLIENT;
57	+RESTYPE RT_XKBCLIENT = 0;
58
59	/*====================================================================*/
60
61	--
62	2.43.0
63


diff --git a/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch b/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch deleted file mode 100644 index 76e50cfad9..0000000000 --- a/meta/recipes-graphics/xwayland/xwayland/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch +++ /dev/null
@@ -1,92 +0,0 @@
1	From a7e9938b621e16677c6330306a45baba0495ea31 Mon Sep 17 00:00:00 2001
2	From: Olivier Fourdan <ofourdan@redhat.com>
3	Date: Wed, 10 Sep 2025 15:58:57 +0200
4	Subject: [PATCH 3/4] xkb: Free the XKB resource when freeing XkbInterest
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	XkbRemoveResourceClient() would free the XkbInterest data associated
10	with the device, but not the resource associated with it.
11
12	As a result, when the client terminates, the resource delete function
13	gets called and accesses already freed memory:
14
15	\| Invalid read of size 8
16	\| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
17	\| by 0x5B3391: XkbClientGone (xkb.c:7094)
18	\| by 0x4DF138: doFreeResource (resource.c:890)
19	\| by 0x4DFB50: FreeClientResources (resource.c:1156)
20	\| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
21	\| by 0x5E0A53: ClientReady (connection.c:601)
22	\| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
23	\| by 0x5DC834: WaitForSomething (WaitFor.c:206)
24	\| by 0x4A1BA5: Dispatch (dispatch.c:491)
25	\| by 0x4B0070: dix_main (main.c:277)
26	\| by 0x4285E7: main (stubmain.c:34)
27	\| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
28	\| at 0x4842E43: free (vg_replace_malloc.c:989)
29	\| by 0x49C1A6: CloseDevice (devices.c:1067)
30	\| by 0x49C522: CloseOneDevice (devices.c:1193)
31	\| by 0x49C6E4: RemoveDevice (devices.c:1244)
32	\| by 0x5873D4: remove_master (xichangehierarchy.c:348)
33	\| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
34	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
35	\| by 0x4A1D85: Dispatch (dispatch.c:551)
36	\| by 0x4B0070: dix_main (main.c:277)
37	\| by 0x4285E7: main (stubmain.c:34)
38	\| Block was alloc'd at
39	\| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
40	\| by 0x49A118: AddInputDevice (devices.c:262)
41	\| by 0x4A0E58: AllocDevicePair (devices.c:2846)
42	\| by 0x5866EE: add_master (xichangehierarchy.c:153)
43	\| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
44	\| by 0x579BF1: ProcIDispatch (extinit.c:390)
45	\| by 0x4A1D85: Dispatch (dispatch.c:551)
46	\| by 0x4B0070: dix_main (main.c:277)
47	\| by 0x4285E7: main (stubmain.c:34)
48
49	To avoid that issue, make sure to free the resources when freeing the
50	device XkbInterest data.
51
52	CVE-2025-62230, ZDI-CAN-27545
53
54	This vulnerability was discovered by:
55	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
56
57	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
58	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
59	(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
60
61	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
62
63	CVE: CVE-2025-62230
64	Upstream-Status: Backport
65	Signed-off-by: Ross Burton <ross.burton@arm.com>
66	---
67	xkb/xkbEvents.c \| 2 ++
68	1 file changed, 2 insertions(+)
69
70	diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
71	index f8f65d4a7..7c669c93e 100644
72	--- a/xkb/xkbEvents.c
73	+++ b/xkb/xkbEvents.c
74	@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
75	autoCtrls = interest->autoCtrls;
76	autoValues = interest->autoCtrlValues;
77	client = interest->client;
78	+ FreeResource(interest->resource, RT_XKBCLIENT);
79	free(interest);
80	found = TRUE;
81	}
82	@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
83	autoCtrls = victim->autoCtrls;
84	autoValues = victim->autoCtrlValues;
85	client = victim->client;
86	+ FreeResource(victim->resource, RT_XKBCLIENT);
87	free(victim);
88	found = TRUE;
89	}
90	--
91	2.43.0
92


diff --git a/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch b/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch deleted file mode 100644 index 27c8f6c809..0000000000 --- a/meta/recipes-graphics/xwayland/xwayland/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch +++ /dev/null
@@ -1,53 +0,0 @@
1	From 70dfb0fb993655b0989d54e3bffc4e62c5629392 Mon Sep 17 00:00:00 2001
2	From: Olivier Fourdan <ofourdan@redhat.com>
3	Date: Wed, 10 Sep 2025 16:30:29 +0200
4	Subject: [PATCH 4/4] xkb: Prevent overflow in XkbSetCompatMap()
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	The XkbCompatMap structure stores its "num_si" and "size_si" fields
10	using an unsigned short.
11
12	However, the function _XkbSetCompatMap() will store the sum of the
13	input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
14	"size_si" without first checking if the sum overflows the maximum
15	unsigned short value, leading to a possible overflow.
16
17	To avoid the issue, check whether the sum does not exceed the maximum
18	unsigned short value, or return a "BadValue" error otherwise.
19
20	CVE-2025-62231, ZDI-CAN-27560
21
22	This vulnerability was discovered by:
23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
24
25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
26	Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
27	(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
28
29	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
30
31	CVE: CVE-2025-62231
32	Upstream-Status: Backport
33	Signed-off-by: Ross Burton <ross.burton@arm.com>
34	---
35	xkb/xkb.c \| 2 ++
36	1 file changed, 2 insertions(+)
37
38	diff --git a/xkb/xkb.c b/xkb/xkb.c
39	index 6c102af0a..a77fe7ff0 100644
40	--- a/xkb/xkb.c
41	+++ b/xkb/xkb.c
42	@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
43	XkbSymInterpretPtr sym;
44	unsigned int skipped = 0;
45
46	+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
47	+ return BadValue;
48	if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
49	compat->num_si = compat->size_si = req->firstSI + req->nSI;
50	compat->sym_interpret = reallocarray(compat->sym_interpret,
51	--
52	2.43.0
53


diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb deleted file mode 100644 index af4bb73499..0000000000 --- a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb +++ /dev/null
@@ -1,55 +0,0 @@
1	SUMMARY = "XWayland is an X Server that runs under Wayland."
2	DESCRIPTION = "XWayland is an X Server running as a Wayland client, \
3	and thus is capable of displaying native X11 client applications in a \
4	Wayland compositor environment. The goal of XWayland is to facilitate \
5	the transition from X Window System to Wayland environments, providing \
6	a way to run unported applications in the meantime."
7	HOMEPAGE = "https://fedoraproject.org/wiki/Changes/XwaylandStandalone"
8
9	LICENSE = "MIT"
10	LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880"
11
12	SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
13	file://0001-present-Fix-use-after-free-in-present_create_notifie.patch \
14	file://0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch \
15	file://0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch \
16	file://0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch \
17	"
18	SRC_URI[sha256sum] = "c8908d57c8ed9ceb8293c16ba7ad5af522efaf1ba7e51f9e4cf3c0774d199907"
19
20	UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar"
21
22	inherit meson features_check pkgconfig
23	REQUIRED_DISTRO_FEATURES = "x11 opengl"
24
25	DEPENDS += "xorgproto xtrans pixman libxkbfile libxfont2 wayland wayland-native wayland-protocols libdrm libepoxy libxcvt libtirpc"
26
27	OPENGL_PKGCONFIGS = "glx glamor dri3"
28	PACKAGECONFIG ??= "${XORG_CRYPTO} ${XWAYLAND_EI} \
29	${@bb.utils.contains('DISTRO_FEATURES', 'opengl', '${OPENGL_PKGCONFIGS}', '', d)} \
30	"
31	PACKAGECONFIG[dri3] = "-Ddri3=true,-Ddri3=false,libxshmfence"
32	PACKAGECONFIG[libdecor] = "-Dlibdecor=true,-Dlibdecor=false,libdecor"
33	PACKAGECONFIG[glx] = "-Dglx=true,-Dglx=false,virtual/libgl virtual/libx11"
34	PACKAGECONFIG[glamor] = "-Dglamor=true,-Dglamor=false,libepoxy virtual/libgbm,libegl"
35	PACKAGECONFIG[unwind] = "-Dlibunwind=true,-Dlibunwind=false,libunwind"
36	PACKAGECONFIG[xinerama] = "-Dxinerama=true,-Dxinerama=false"
37
38	# Xorg requires a SHA1 implementation, pick one
39	XORG_CRYPTO ??= "openssl"
40	PACKAGECONFIG[openssl] = "-Dsha1=libcrypto,,openssl"
41	PACKAGECONFIG[nettle] = "-Dsha1=libnettle,,nettle"
42	PACKAGECONFIG[gcrypt] = "-Dsha1=libgcrypt,,libgcrypt"
43	XWAYLAND_EI ??= "xwayland_ei_false"
44	PACKAGECONFIG[xwayland_ei_false] = "-Dxwayland_ei=false"
45	PACKAGECONFIG[xwayland_ei_portal] = "-Dxwayland_ei=portal,,libei"
46	PACKAGECONFIG[xwayland_ei_socket] = "-Dxwayland_ei=socket,,libei"
47
48	do_install:append() {
49	# remove files not needed and clashing with xserver-xorg
50	rm -rf ${D}/${libdir}/xorg/
51	}
52
53	FILES:${PN} += "${libdir}/xorg/protocol.txt"
54
55	RDEPENDS:${PN} += "xkbcomp ${@bb.utils.contains("DISTRO_FEATURES", "systemd", "", "x11-volatiles", d)}"