Bug#1061110: xorg-server: Regression from fixes for CVE-2024-21886
Source: xorg-server
Version: 2:21.1.11-1
Severity: important
Tags: upstream
X-Debbugs-Cc: carnil@debian.org, jcristau@debian.org, apo@debian.org, team@security.debian.org
While preparing the update for xorg-server for bookworm an autopkgtest
regression in uqm was seen. The same is shown with the 2:21.1.11-1
upload to unstable:
https://ci.debian.net/packages/u/uqm/testing/amd64/41866714/
Julien Cristau was able to reproduce the leak independly from uqm:
Xvfb :10 & sleep 2; DISPLAY=:10 xdpyinfo >/dev/null
resulting in
1 XSELINUXs still allocated at reset
SCREEN: 0 objects of 304 bytes = 0 total bytes 0 private allocs
DEVICE: 0 objects of 88 bytes = 0 total bytes 0 private allocs
CLIENT: 0 objects of 144 bytes = 0 total bytes 0 private allocs
WINDOW: 0 objects of 48 bytes = 0 total bytes 0 private allocs
PIXMAP: 0 objects of 16 bytes = 0 total bytes 0 private allocs
GC: 0 objects of 16 bytes = 0 total bytes 0 private allocs
CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs
TOTAL: 1 objects, 8 bytes, 0 allocs
1 CURSORs still allocated at reset
CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs
TOTAL: 1 objects, 8 bytes, 0 allocs
1 CURSOR_BITSs still allocated at reset
TOTAL: 0 objects, 0 bytes, 0 allocs
As per upstream commit bisection it seems that the first bad commit is
https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
which is related for the CVE-2024-21886 fix.
Regards,
Salvatore
Reply to: