2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
new file mode 100644
index 0000000000..210a76262a
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
@@ -0,0 +1,120 @@
+From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 11:25:11 +0100
+Subject: [PATCH] Xi: Fix barrier device search
+The function GetBarrierDevice() would search for the pointer device
+based on its device id and return the matching value, or supposedly NULL
+if no match was found.
+Unfortunately, as written, it would return the last element of the list
+if no matching device id was found which can lead to out of bounds
+memory access.
+Fix the search function to return NULL if not matching device is found,
+and adjust the callers to handle the case where the device cannot be
+found.
+CVE-2025-26598, ZDI-CAN-25740
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a]
+CVE: CVE-2025-26598
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xibarriers.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index 700b2b8c53..6761bcb49a 100644
+--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
+@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
+ 
+ static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
+ {
+-    struct PointerBarrierDevice *pbd = NULL;
+    struct PointerBarrierDevice *p, *pbd = NULL;
+ 
+-    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
+-        if (pbd->deviceid == deviceid)
+    xorg_list_for_each_entry(p, &c->per_device, entry) {
+        if (p->deviceid == deviceid) {
+            pbd = p;
+             break;
+        }
+     }
+ 
+-    BUG_WARN(!pbd);
+     return pbd;
+ }
+ 
+@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
+         double distance;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
+        if (!pbd)
+            continue;
+
+         if (pbd->seen)
+             continue;
+ 
+@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         nearest = &c->barrier;
+ 
+         pbd = GetBarrierDevice(c, master->id);
+        if (!pbd)
+            continue;
+
+         new_sequence = !pbd->hit;
+ 
+         pbd->seen = TRUE;
+@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         int flags = 0;
+ 
+         pbd = GetBarrierDevice(c, master->id);
+        if (!pbd)
+            continue;
+
+         pbd->seen = FALSE;
+         if (!pbd->hit)
+             continue;
+@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id)
+             continue;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
+        if (!pbd)
+            continue;
+
+         if (!pbd->hit)
+             continue;
+ 
+@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid)
+     barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+     pbd = GetBarrierDevice(barrier, *deviceid);
+    if (!pbd)
+        return;
+ 
+     if (pbd->hit) {
+         BarrierEvent ev = {
+@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+         barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+         pbd = GetBarrierDevice(barrier, dev->id);
+        if (!pbd) {
+            client->errorValue = dev->id;
+            return BadDevice;
+        }
+ 
+         if (pbd->barrier_event_id == event_id)
+             pbd->release_event_id = event_id;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 7f94c5e2e2..b46a02e5c3 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26595.patch \
           file://CVE-2025-26596.patch \
           file://CVE-2025-26597.patch \
+           file://CVE-2025-26598.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch
@@ -0,0 +1,120 @@
		1	From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 16 Dec 2024 11:25:11 +0100
		4	Subject: [PATCH] Xi: Fix barrier device search
		5
		6	The function GetBarrierDevice() would search for the pointer device
		7	based on its device id and return the matching value, or supposedly NULL
		8	if no match was found.
		9
		10	Unfortunately, as written, it would return the last element of the list
		11	if no matching device id was found which can lead to out of bounds
		12	memory access.
		13
		14	Fix the search function to return NULL if not matching device is found,
		15	and adjust the callers to handle the case where the device cannot be
		16	found.
		17
		18	CVE-2025-26598, ZDI-CAN-25740
		19
		20	This vulnerability was discovered by:
		21	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		22
		23	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		24	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a]
		28	CVE: CVE-2025-26598
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	Xi/xibarriers.c \| 27 +++++++++++++++++++++++----
		32	1 file changed, 23 insertions(+), 4 deletions(-)
		33
		34	diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
		35	index 700b2b8c53..6761bcb49a 100644
		36	--- a/Xi/xibarriers.c
		37	+++ b/Xi/xibarriers.c
		38	@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
		39
		40	static struct PointerBarrierDevice GetBarrierDevice(struct PointerBarrierClient c, int deviceid)
		41	{
		42	- struct PointerBarrierDevice *pbd = NULL;
		43	+ struct PointerBarrierDevice p, pbd = NULL;
		44
		45	- xorg_list_for_each_entry(pbd, &c->per_device, entry) {
		46	- if (pbd->deviceid == deviceid)
		47	+ xorg_list_for_each_entry(p, &c->per_device, entry) {
		48	+ if (p->deviceid == deviceid) {
		49	+ pbd = p;
		50	break;
		51	+ }
		52	}
		53
		54	- BUG_WARN(!pbd);
		55	return pbd;
		56	}
		57
		58	@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
		59	double distance;
		60
		61	pbd = GetBarrierDevice(c, dev->id);
		62	+ if (!pbd)
		63	+ continue;
		64	+
		65	if (pbd->seen)
		66	continue;
		67
		68	@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
		69	nearest = &c->barrier;
		70
		71	pbd = GetBarrierDevice(c, master->id);
		72	+ if (!pbd)
		73	+ continue;
		74	+
		75	new_sequence = !pbd->hit;
		76
		77	pbd->seen = TRUE;
		78	@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
		79	int flags = 0;
		80
		81	pbd = GetBarrierDevice(c, master->id);
		82	+ if (!pbd)
		83	+ continue;
		84	+
		85	pbd->seen = FALSE;
		86	if (!pbd->hit)
		87	continue;
		88	@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id)
		89	continue;
		90
		91	pbd = GetBarrierDevice(c, dev->id);
		92	+ if (!pbd)
		93	+ continue;
		94	+
		95	if (!pbd->hit)
		96	continue;
		97
		98	@@ -741,6 +754,8 @@ static void remove_master_func(void res, XID id, void devid)
		99	barrier = container_of(b, struct PointerBarrierClient, barrier);
		100
		101	pbd = GetBarrierDevice(barrier, *deviceid);
		102	+ if (!pbd)
		103	+ return;
		104
		105	if (pbd->hit) {
		106	BarrierEvent ev = {
		107	@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
		108	barrier = container_of(b, struct PointerBarrierClient, barrier);
		109
		110	pbd = GetBarrierDevice(barrier, dev->id);
		111	+ if (!pbd) {
		112	+ client->errorValue = dev->id;
		113	+ return BadDevice;
		114	+ }
		115
		116	if (pbd->barrier_event_id == event_id)
		117	pbd->release_event_id = event_id;
		118	--
		119	GitLab
		120


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 7f94c5e2e2..b46a02e5c3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
16	file://CVE-2025-26595.patch \	16	file://CVE-2025-26595.patch \
17	file://CVE-2025-26596.patch \	17	file://CVE-2025-26596.patch \
18	file://CVE-2025-26597.patch \	18	file://CVE-2025-26597.patch \
		19	file://CVE-2025-26598.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	21	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
21		22