6 files changed, 506 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
new file mode 100644
index 0000000000..ee2aa01b0e
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
@@ -0,0 +1,103 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+CVE-2023-5380, ZDI-CAN-21608
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
+CVE: CVE-2023-5380
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8a3b..e8af924c68 100644
+--- a/dix/enterleave.h
+++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index 93308f9b24..a9926eaeef 100644
+--- a/include/eventstr.h
+++ b/include/eventstr.h
+@@ -335,4 +335,7 @@ union _InternalEvent {
+     GestureEvent gesture_event;
+ };
+ 
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index a638f25d4a..8cf0035140 100644
+--- a/mi/mipointer.c
+++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
+        ) {
+            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+            /* Hack for CVE-2023-5380: if we're moving
+             * screens PointerWindows[] keeps referring to the
+             * old window. If that gets destroyed we have a UAF
+             * bug later. Only happens when jumping from a window
+             * to the root window on the other screen.
+             * Enter/Leave events are incorrect for that case but
+             * too niche to fix.
+             */
+            LeaveWindow(pDev);
+            if (master)
+                LeaveWindow(master);
+            UpdateSpriteForScreen(pDev, pScreen);
+    }
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
new file mode 100644
index 0000000000..03ee6978ca
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
@@ -0,0 +1,88 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which assume
+they're applying to the first event in the sequence.
+A device with both a key and button class triggered a logic bug - only
+one xEvent was allocated but the deviceStateNotify pointer was pushed on
+once per type. So effectively this logic code:
+   int count = 1;
+   if (button && nbuttons > 32) count++;
+   if (key && nbuttons > 0) count++;
+   if (key && nkeys > 32) count++; // this is basically always true
+   // count is at 2 for our keys + zero button device
+   ev = alloc(count * sizeof(xEvent));
+   FixDeviceStateNotify(ev);
+   if (button)
+     FixDeviceStateNotify(ev++);
+   if (key)
+     FixDeviceStateNotify(ev++);   // santa drops into the wrong chimney here
+If the device has more than 3 valuators, the OOB is pushed back - we're
+off by one so it will happen when the last deviceValuator event is
+written instead.
+Fix this by allocating the maximum number of events we may allocate.
+Note that the current behavior is not protocol-correct anyway, this
+patch fixes only the allocation issue.
+Note that this issue does not trigger if the device has at least one
+button. While the server does not prevent a button class with zero
+buttons, it is very unlikely.
+CVE-2024-0229, ZDI-CAN-22678
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index ded8679d76..17964b00a4 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -675,7 +675,8 @@ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+     int evcount = 1;
+-    deviceStateNotify *ev, *sev;
+    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+    deviceStateNotify *ev;
+     deviceKeyStateNotify *kev;
+     deviceButtonStateNotify *bev;
+ 
+@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+         }
+     }
+ 
+-    sev = ev = xallocarray(evcount, sizeof(xEvent));
+    ev = sev;
+     FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+ 
+     if (b != NULL) {
+@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+                           DeviceStateNotifyMask, NullGrab);
+-    free(sev);
+ }
+ 
+ void
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
new file mode 100644
index 0000000000..098b263332
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
@@ -0,0 +1,222 @@
+From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 12:26:20 +1000
+Subject: [PATCH] dix: fix DeviceStateNotify event calculation
+The previous code only made sense if one considers buttons and keys to
+be mutually exclusive on a device. That is not necessarily true, causing
+a number of issues.
+This function allocates and fills in the number of xEvents we need to
+send the device state down the wire.  This is split across multiple
+32-byte devices including one deviceStateNotify event and optional
+deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
+deviceValuator events.
+The previous behavior would instead compose a sequence
+of [state, buttonstate, state, keystate, valuator...]. This is not
+protocol correct, and on top of that made the code extremely convoluted.
+Fix this by streamlining: add both button and key into the deviceStateNotify
+and then append the key state and button state, followed by the
+valuators. Finally, the deviceValuator events contain up to 6 valuators
+per event but we only ever sent through 3 at a time. Let's double that
+troughput.
+CVE-2024-0229, ZDI-CAN-22678
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
+ 1 file changed, 52 insertions(+), 69 deletions(-)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 17964b00a4..7b7ba1098b 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ 
+     ev->type = DeviceValuator;
+     ev->deviceid = dev->id;
+-    ev->num_valuators = nval < 3 ? nval : 3;
+    ev->num_valuators = nval < 6 ? nval : 6;
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+    case 6:
+        ev->valuator2 = v->axisVal[first + 5];
+    case 5:
+        ev->valuator2 = v->axisVal[first + 4];
+    case 4:
+        ev->valuator2 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+         ev->valuator0 = v->axisVal[first];
+         break;
+     }
+-    first += ev->num_valuators;
+ }
+ 
+ static void
+@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+         ev->num_buttons = b->numButtons;
+         memcpy((char *) ev->buttons, (char *) b->down, 4);
+     }
+-    else if (k) {
+    if (k) {
+         ev->classes_reported |= (1 << KeyClass);
+         ev->num_keys = k->xkbInfo->desc->max_key_code -
+             k->xkbInfo->desc->min_key_code;
+@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+     }
+ }
+ 
+-
+/**
+ * The device state notify event is split across multiple 32-byte events.
+ * The first one contains the first 32 button state bits, the first 32
+ * key state bits, and the first 3 valuator values.
+ *
+ * If a device has more than that, the server sends out:
+ * - one deviceButtonStateNotify for buttons 32 and above
+ * - one deviceKeyStateNotify for keys 32 and above
+ * - one deviceValuator event per 6 valuators above valuator 4
+ *
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
+ */
+ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+    /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
+     * and one deviceValuator for each 6 valuators */
+    deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
+     int evcount = 1;
+-    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+-    deviceStateNotify *ev;
+-    deviceKeyStateNotify *kev;
+-    deviceButtonStateNotify *bev;
+    deviceStateNotify *ev = sev;
+ 
+     KeyClassPtr k;
+     ButtonClassPtr b;
+@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     if ((b = dev->button) != NULL) {
+         nbuttons = b->numButtons;
+-        if (nbuttons > 32)
+        if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+     }
+     if ((k = dev->key) != NULL) {
+         nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
+-        if (nkeys > 32)
+        if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+-        if (nbuttons > 0) {
+-            evcount++;
+-        }
+     }
+     if ((v = dev->valuator) != NULL) {
+         nval = v->numAxes;
+-
+-        if (nval > 3)
+-            evcount++;
+-        if (nval > 6) {
+-            if (!(k && b))
+-                evcount++;
+-            if (nval > 9)
+-                evcount += ((nval - 7) / 3);
+-        }
+        /* first three are encoded in deviceStateNotify, then
+         * it's 6 per deviceValuator event */
+        evcount += ((nval - 3) + 6)/6;
+     }
+ 
+-    ev = sev;
+-    FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+-
+-    if (b != NULL) {
+-        FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nbuttons > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            bev = (deviceButtonStateNotify *) ev++;
+-            bev->type = DeviceButtonStateNotify;
+-            bev->deviceid = dev->id;
+-            memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+-                   DOWN_LENGTH - 4);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
+    BUG_RETURN(evcount <= ARRAY_SIZE(sev));
+
+    FixDeviceStateNotify(dev, ev, k, b, v, first);
+
+    if (b != NULL && nbuttons > 32) {
+        deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
+        (ev - 1)->deviceid |= MORE_EVENTS;
+        bev->type = DeviceButtonStateNotify;
+        bev->deviceid = dev->id;
+        memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+               DOWN_LENGTH - 4);
+     }
+ 
+-    if (k != NULL) {
+-        FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nkeys > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            kev = (deviceKeyStateNotify *) ev++;
+-            kev->type = DeviceKeyStateNotify;
+-            kev->deviceid = dev->id;
+-            memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
+    if (k != NULL && nkeys > 32) {
+        deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
+        (ev - 1)->deviceid |= MORE_EVENTS;
+        kev->type = DeviceKeyStateNotify;
+        kev->deviceid = dev->id;
+        memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+     }
+ 
+    first = 3;
+    nval -= 3;
+     while (nval > 0) {
+-        FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
+        ev->deviceid |= MORE_EVENTS;
+        FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
+        first += 6;
+        nval -= 6;
+     }
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
new file mode 100644
index 0000000000..915da00c6f
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
@@ -0,0 +1,42 @@
+From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 13:48:10 +1000
+Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
+ buttons
+There's a racy sequence where a master device may copy the button class
+from the slave, without ever initializing numButtons. This leads to a
+device with zero buttons but a button class which is invalid.
+Let's copy the numButtons value from the source - by definition if we
+don't have a button class yet we do not have any other slave devices
+with more than this number of buttons anyway.
+CVE-2024-0229, ZDI-CAN-22678
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Xi/exevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 54ea11a938..e161714682 100644
+--- a/Xi/exevents.c
+++ b/Xi/exevents.c
+@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+                 to->button = calloc(1, sizeof(ButtonClassRec));
+                 if (!to->button)
+                     FatalError("[Xi] no memory for class shift.\n");
+                to->button->numButtons = from->button->numButtons;
+             }
+             else
+                 classes->button = NULL;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
new file mode 100644
index 0000000000..35a853ad6f
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
@@ -0,0 +1,46 @@
+From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 14:10:11 +1000
+Subject: [PATCH] Xi: require a pointer and keyboard device for
+ XIAttachToMaster
+If we remove a master device and specify which other master devices
+attached slaves should be returned to, enforce that those two are
+indeeed a pointer and a keyboard.
+Otherwise we can try to attach the keyboards to pointers and vice versa,
+leading to possible crashes later.
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Xi/xichangehierarchy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 504defe566..d2d985848d 100644
+--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
+@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+         if (rc != Success)
+             goto unwind;
+ 
+-        if (!IsMaster(newptr)) {
+        if (!IsMaster(newptr) || !IsPointerDevice(newptr)) {
+             client->errorValue = r->return_pointer;
+             rc = BadDevice;
+             goto unwind;
+@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+         if (rc != Success)
+             goto unwind;
+ 
+-        if (!IsMaster(newkeybd)) {
+        if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) {
+             client->errorValue = r->return_keyboard;
+             rc = BadDevice;
+             goto unwind;
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 133c65fbc3..f639088b25 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -16,6 +16,11 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2023-6816.patch \
           file://CVE-2024-0408.patch \
           file://CVE-2024-0409.patch \
+           file://CVE-2023-5380.patch \
+           file://CVE-2024-0229-1.patch \
+           file://CVE-2024-0229-2.patch \
+           file://CVE-2024-0229-3.patch \
+           file://CVE-2024-0229-4.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch new file mode 100644 index 0000000000..ee2aa01b0e --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
@@ -0,0 +1,103 @@
		1	From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Thu, 5 Oct 2023 12:19:45 +1000
		4	Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
		5
		6	PointerWindows[] keeps a reference to the last window our sprite
		7	entered - changes are usually handled by CheckMotion().
		8
		9	If we switch between screens via XWarpPointer our
		10	dev->spriteInfo->sprite->win is set to the new screen's root window.
		11	If there's another window at the cursor location CheckMotion() will
		12	trigger the right enter/leave events later. If there is not, it skips
		13	that process and we never trigger LeaveWindow() - PointerWindows[] for
		14	the device still refers to the previous window.
		15
		16	If that window is destroyed we have a dangling reference that will
		17	eventually cause a use-after-free bug when checking the window hierarchy
		18	later.
		19
		20	To trigger this, we require:
		21	- two protocol screens
		22	- XWarpPointer to the other screen's root window
		23	- XDestroyWindow before entering any other window
		24
		25	This is a niche bug so we hack around it by making sure we reset the
		26	PointerWindows[] entry so we cannot have a dangling pointer. This
		27	doesn't handle Enter/Leave events correctly but the previous code didn't
		28	either.
		29
		30	CVE-2023-5380, ZDI-CAN-21608
		31
		32	This vulnerability was discovered by:
		33	Sri working with Trend Micro Zero Day Initiative
		34
		35	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
		36	Reviewed-by: Adam Jackson <ajax@redhat.com>
		37
		38	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
		39	CVE: CVE-2023-5380
		40	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		41	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		42	---
		43	dix/enterleave.h \| 2 --
		44	include/eventstr.h \| 3 +++
		45	mi/mipointer.c \| 17 +++++++++++++++--
		46	3 files changed, 18 insertions(+), 4 deletions(-)
		47
		48	diff --git a/dix/enterleave.h b/dix/enterleave.h
		49	index 4b833d8a3b..e8af924c68 100644
		50	--- a/dix/enterleave.h
		51	+++ b/dix/enterleave.h
		52	@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
		53
		54	extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
		55
		56	-extern void LeaveWindow(DeviceIntPtr dev);
		57	-
		58	extern void CoreFocusEvent(DeviceIntPtr kbd,
		59	int type, int mode, int detail, WindowPtr pWin);
		60
		61	diff --git a/include/eventstr.h b/include/eventstr.h
		62	index 93308f9b24..a9926eaeef 100644
		63	--- a/include/eventstr.h
		64	+++ b/include/eventstr.h
		65	@@ -335,4 +335,7 @@ union _InternalEvent {
		66	GestureEvent gesture_event;
		67	};
		68
		69	+extern void
		70	+LeaveWindow(DeviceIntPtr dev);
		71	+
		72	#endif
		73	diff --git a/mi/mipointer.c b/mi/mipointer.c
		74	index a638f25d4a..8cf0035140 100644
		75	--- a/mi/mipointer.c
		76	+++ b/mi/mipointer.c
		77	@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
		78	#ifdef PANORAMIX
		79	&& noPanoramiXExtension
		80	#endif
		81	- )
		82	- UpdateSpriteForScreen(pDev, pScreen);
		83	+ ) {
		84	+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
		85	+ /* Hack for CVE-2023-5380: if we're moving
		86	+ * screens PointerWindows[] keeps referring to the
		87	+ * old window. If that gets destroyed we have a UAF
		88	+ * bug later. Only happens when jumping from a window
		89	+ * to the root window on the other screen.
		90	+ * Enter/Leave events are incorrect for that case but
		91	+ * too niche to fix.
		92	+ */
		93	+ LeaveWindow(pDev);
		94	+ if (master)
		95	+ LeaveWindow(master);
		96	+ UpdateSpriteForScreen(pDev, pScreen);
		97	+ }
		98	}
		99
		100	/**
		101	--
		102	GitLab
		103


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..03ee6978ca --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
@@ -0,0 +1,88 @@
		1	From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Mon, 18 Dec 2023 14:27:50 +1000
		4	Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
		5
		6	If a device has both a button class and a key class and numButtons is
		7	zero, we can get an OOB write due to event under-allocation.
		8
		9	This function seems to assume a device has either keys or buttons, not
		10	both. It has two virtually identical code paths, both of which assume
		11	they're applying to the first event in the sequence.
		12
		13	A device with both a key and button class triggered a logic bug - only
		14	one xEvent was allocated but the deviceStateNotify pointer was pushed on
		15	once per type. So effectively this logic code:
		16
		17	int count = 1;
		18	if (button && nbuttons > 32) count++;
		19	if (key && nbuttons > 0) count++;
		20	if (key && nkeys > 32) count++; // this is basically always true
		21	// count is at 2 for our keys + zero button device
		22
		23	ev = alloc(count * sizeof(xEvent));
		24	FixDeviceStateNotify(ev);
		25	if (button)
		26	FixDeviceStateNotify(ev++);
		27	if (key)
		28	FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
		29
		30	If the device has more than 3 valuators, the OOB is pushed back - we're
		31	off by one so it will happen when the last deviceValuator event is
		32	written instead.
		33
		34	Fix this by allocating the maximum number of events we may allocate.
		35	Note that the current behavior is not protocol-correct anyway, this
		36	patch fixes only the allocation issue.
		37
		38	Note that this issue does not trigger if the device has at least one
		39	button. While the server does not prevent a button class with zero
		40	buttons, it is very unlikely.
		41
		42	CVE-2024-0229, ZDI-CAN-22678
		43
		44	This vulnerability was discovered by:
		45	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		46
		47	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
		48	CVE: CVE-2024-0229
		49	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		50	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		51	---
		52	dix/enterleave.c \| 6 +++---
		53	1 file changed, 3 insertions(+), 3 deletions(-)
		54
		55	diff --git a/dix/enterleave.c b/dix/enterleave.c
		56	index ded8679d76..17964b00a4 100644
		57	--- a/dix/enterleave.c
		58	+++ b/dix/enterleave.c
		59	@@ -675,7 +675,8 @@ static void
		60	DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
		61	{
		62	int evcount = 1;
		63	- deviceStateNotify ev, sev;
		64	+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
		65	+ deviceStateNotify *ev;
		66	deviceKeyStateNotify *kev;
		67	deviceButtonStateNotify *bev;
		68
		69	@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
		70	}
		71	}
		72
		73	- sev = ev = xallocarray(evcount, sizeof(xEvent));
		74	+ ev = sev;
		75	FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
		76
		77	if (b != NULL) {
		78	@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
		79
		80	DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
		81	DeviceStateNotifyMask, NullGrab);
		82	- free(sev);
		83	}
		84
		85	void
		86	--
		87	GitLab
		88


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..098b263332 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
@@ -0,0 +1,222 @@
		1	From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Mon, 18 Dec 2023 12:26:20 +1000
		4	Subject: [PATCH] dix: fix DeviceStateNotify event calculation
		5
		6	The previous code only made sense if one considers buttons and keys to
		7	be mutually exclusive on a device. That is not necessarily true, causing
		8	a number of issues.
		9
		10	This function allocates and fills in the number of xEvents we need to
		11	send the device state down the wire. This is split across multiple
		12	32-byte devices including one deviceStateNotify event and optional
		13	deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
		14	deviceValuator events.
		15
		16	The previous behavior would instead compose a sequence
		17	of [state, buttonstate, state, keystate, valuator...]. This is not
		18	protocol correct, and on top of that made the code extremely convoluted.
		19
		20	Fix this by streamlining: add both button and key into the deviceStateNotify
		21	and then append the key state and button state, followed by the
		22	valuators. Finally, the deviceValuator events contain up to 6 valuators
		23	per event but we only ever sent through 3 at a time. Let's double that
		24	troughput.
		25
		26	CVE-2024-0229, ZDI-CAN-22678
		27
		28	This vulnerability was discovered by:
		29	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		30
		31	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
		32	CVE: CVE-2024-0229
		33	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		34	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		35	---
		36	dix/enterleave.c \| 121 ++++++++++++++++++++---------------------------
		37	1 file changed, 52 insertions(+), 69 deletions(-)
		38
		39	diff --git a/dix/enterleave.c b/dix/enterleave.c
		40	index 17964b00a4..7b7ba1098b 100644
		41	--- a/dix/enterleave.c
		42	+++ b/dix/enterleave.c
		43	@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
		44
		45	ev->type = DeviceValuator;
		46	ev->deviceid = dev->id;
		47	- ev->num_valuators = nval < 3 ? nval : 3;
		48	+ ev->num_valuators = nval < 6 ? nval : 6;
		49	ev->first_valuator = first;
		50	switch (ev->num_valuators) {
		51	+ case 6:
		52	+ ev->valuator2 = v->axisVal[first + 5];
		53	+ case 5:
		54	+ ev->valuator2 = v->axisVal[first + 4];
		55	+ case 4:
		56	+ ev->valuator2 = v->axisVal[first + 3];
		57	case 3:
		58	ev->valuator2 = v->axisVal[first + 2];
		59	case 2:
		60	@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
		61	ev->valuator0 = v->axisVal[first];
		62	break;
		63	}
		64	- first += ev->num_valuators;
		65	}
		66
		67	static void
		68	@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
		69	ev->num_buttons = b->numButtons;
		70	memcpy((char ) ev->buttons, (char ) b->down, 4);
		71	}
		72	- else if (k) {
		73	+ if (k) {
		74	ev->classes_reported \|= (1 << KeyClass);
		75	ev->num_keys = k->xkbInfo->desc->max_key_code -
		76	k->xkbInfo->desc->min_key_code;
		77	@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
		78	}
		79	}
		80
		81	-
		82	+/**
		83	+ * The device state notify event is split across multiple 32-byte events.
		84	+ * The first one contains the first 32 button state bits, the first 32
		85	+ * key state bits, and the first 3 valuator values.
		86	+ *
		87	+ * If a device has more than that, the server sends out:
		88	+ * - one deviceButtonStateNotify for buttons 32 and above
		89	+ * - one deviceKeyStateNotify for keys 32 and above
		90	+ * - one deviceValuator event per 6 valuators above valuator 4
		91	+ *
		92	+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
		93	+ */
		94	static void
		95	DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
		96	{
		97	+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
		98	+ * and one deviceValuator for each 6 valuators */
		99	+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
		100	int evcount = 1;
		101	- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
		102	- deviceStateNotify *ev;
		103	- deviceKeyStateNotify *kev;
		104	- deviceButtonStateNotify *bev;
		105	+ deviceStateNotify *ev = sev;
		106
		107	KeyClassPtr k;
		108	ButtonClassPtr b;
		109	@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
		110
		111	if ((b = dev->button) != NULL) {
		112	nbuttons = b->numButtons;
		113	- if (nbuttons > 32)
		114	+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
		115	evcount++;
		116	}
		117	if ((k = dev->key) != NULL) {
		118	nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
		119	- if (nkeys > 32)
		120	+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
		121	evcount++;
		122	- if (nbuttons > 0) {
		123	- evcount++;
		124	- }
		125	}
		126	if ((v = dev->valuator) != NULL) {
		127	nval = v->numAxes;
		128	-
		129	- if (nval > 3)
		130	- evcount++;
		131	- if (nval > 6) {
		132	- if (!(k && b))
		133	- evcount++;
		134	- if (nval > 9)
		135	- evcount += ((nval - 7) / 3);
		136	- }
		137	+ /* first three are encoded in deviceStateNotify, then
		138	+ * it's 6 per deviceValuator event */
		139	+ evcount += ((nval - 3) + 6)/6;
		140	}
		141
		142	- ev = sev;
		143	- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
		144	-
		145	- if (b != NULL) {
		146	- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
		147	- first += 3;
		148	- nval -= 3;
		149	- if (nbuttons > 32) {
		150	- (ev - 1)->deviceid \|= MORE_EVENTS;
		151	- bev = (deviceButtonStateNotify *) ev++;
		152	- bev->type = DeviceButtonStateNotify;
		153	- bev->deviceid = dev->id;
		154	- memcpy((char ) &bev->buttons[4], (char ) &b->down[4],
		155	- DOWN_LENGTH - 4);
		156	- }
		157	- if (nval > 0) {
		158	- (ev - 1)->deviceid \|= MORE_EVENTS;
		159	- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
		160	- first += 3;
		161	- nval -= 3;
		162	- }
		163	+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
		164	+
		165	+ FixDeviceStateNotify(dev, ev, k, b, v, first);
		166	+
		167	+ if (b != NULL && nbuttons > 32) {
		168	+ deviceButtonStateNotify bev = (deviceButtonStateNotify ) ++ev;
		169	+ (ev - 1)->deviceid \|= MORE_EVENTS;
		170	+ bev->type = DeviceButtonStateNotify;
		171	+ bev->deviceid = dev->id;
		172	+ memcpy((char ) &bev->buttons[4], (char ) &b->down[4],
		173	+ DOWN_LENGTH - 4);
		174	}
		175
		176	- if (k != NULL) {
		177	- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
		178	- first += 3;
		179	- nval -= 3;
		180	- if (nkeys > 32) {
		181	- (ev - 1)->deviceid \|= MORE_EVENTS;
		182	- kev = (deviceKeyStateNotify *) ev++;
		183	- kev->type = DeviceKeyStateNotify;
		184	- kev->deviceid = dev->id;
		185	- memmove((char ) &kev->keys[0], (char ) &k->down[4], 28);
		186	- }
		187	- if (nval > 0) {
		188	- (ev - 1)->deviceid \|= MORE_EVENTS;
		189	- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
		190	- first += 3;
		191	- nval -= 3;
		192	- }
		193	+ if (k != NULL && nkeys > 32) {
		194	+ deviceKeyStateNotify kev = (deviceKeyStateNotify ) ++ev;
		195	+ (ev - 1)->deviceid \|= MORE_EVENTS;
		196	+ kev->type = DeviceKeyStateNotify;
		197	+ kev->deviceid = dev->id;
		198	+ memmove((char ) &kev->keys[0], (char ) &k->down[4], 28);
		199	}
		200
		201	+ first = 3;
		202	+ nval -= 3;
		203	while (nval > 0) {
		204	- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
		205	- first += 3;
		206	- nval -= 3;
		207	- if (nval > 0) {
		208	- (ev - 1)->deviceid \|= MORE_EVENTS;
		209	- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
		210	- first += 3;
		211	- nval -= 3;
		212	- }
		213	+ ev->deviceid \|= MORE_EVENTS;
		214	+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
		215	+ first += 6;
		216	+ nval -= 6;
		217	}
		218
		219	DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
		220	--
		221	GitLab
		222


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..915da00c6f --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
@@ -0,0 +1,42 @@
		1	From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Thu, 21 Dec 2023 13:48:10 +1000
		4	Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
		5	buttons
		6
		7	There's a racy sequence where a master device may copy the button class
		8	from the slave, without ever initializing numButtons. This leads to a
		9	device with zero buttons but a button class which is invalid.
		10
		11	Let's copy the numButtons value from the source - by definition if we
		12	don't have a button class yet we do not have any other slave devices
		13	with more than this number of buttons anyway.
		14
		15	CVE-2024-0229, ZDI-CAN-22678
		16
		17	This vulnerability was discovered by:
		18	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		19
		20	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
		21	CVE: CVE-2024-0229
		22	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		24	---
		25	Xi/exevents.c \| 1 +
		26	1 file changed, 1 insertion(+)
		27
		28	diff --git a/Xi/exevents.c b/Xi/exevents.c
		29	index 54ea11a938..e161714682 100644
		30	--- a/Xi/exevents.c
		31	+++ b/Xi/exevents.c
		32	@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
		33	to->button = calloc(1, sizeof(ButtonClassRec));
		34	if (!to->button)
		35	FatalError("[Xi] no memory for class shift.\n");
		36	+ to->button->numButtons = from->button->numButtons;
		37	}
		38	else
		39	classes->button = NULL;
		40	--
		41	GitLab
		42


diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..35a853ad6f --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
@@ -0,0 +1,46 @@
		1	From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
		2	From: Peter Hutterer <peter.hutterer@who-t.net>
		3	Date: Thu, 21 Dec 2023 14:10:11 +1000
		4	Subject: [PATCH] Xi: require a pointer and keyboard device for
		5	XIAttachToMaster
		6
		7	If we remove a master device and specify which other master devices
		8	attached slaves should be returned to, enforce that those two are
		9	indeeed a pointer and a keyboard.
		10
		11	Otherwise we can try to attach the keyboards to pointers and vice versa,
		12	leading to possible crashes later.
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
		15	CVE: CVE-2024-0229
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	Xi/xichangehierarchy.c \| 4 ++--
		20	1 file changed, 2 insertions(+), 2 deletions(-)
		21
		22	diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
		23	index 504defe566..d2d985848d 100644
		24	--- a/Xi/xichangehierarchy.c
		25	+++ b/Xi/xichangehierarchy.c
		26	@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
		27	if (rc != Success)
		28	goto unwind;
		29
		30	- if (!IsMaster(newptr)) {
		31	+ if (!IsMaster(newptr) \|\| !IsPointerDevice(newptr)) {
		32	client->errorValue = r->return_pointer;
		33	rc = BadDevice;
		34	goto unwind;
		35	@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
		36	if (rc != Success)
		37	goto unwind;
		38
		39	- if (!IsMaster(newkeybd)) {
		40	+ if (!IsMaster(newkeybd) \|\| !IsKeyboardDevice(newkeybd)) {
		41	client->errorValue = r->return_keyboard;
		42	rc = BadDevice;
		43	goto unwind;
		44	--
		45	GitLab
		46


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 133c65fbc3..f639088b25 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -16,6 +16,11 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
16	file://CVE-2023-6816.patch \	16	file://CVE-2023-6816.patch \
17	file://CVE-2024-0408.patch \	17	file://CVE-2024-0408.patch \
18	file://CVE-2024-0409.patch \	18	file://CVE-2024-0409.patch \
		19	file://CVE-2023-5380.patch \
		20	file://CVE-2024-0229-1.patch \
		21	file://CVE-2024-0229-2.patch \
		22	file://CVE-2024-0229-3.patch \
		23	file://CVE-2024-0229-4.patch \
19	"	24	"
20	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	25	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
21		26