Bug#1061110: xorg-server: Regression from fixes for CVE-2024-21886

To: 1061110@bugs.debian.org
Cc: jcristau@debian.org, apo@debian.org, team@security.debian.org
Subject: Bug#1061110: xorg-server: Regression from fixes for CVE-2024-21886
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 22 Jan 2024 08:16:19 +0100
Message-id: <[🔎] Za4WQ3weXAHSaGOW@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1061110@bugs.debian.org
In-reply-to: <[🔎] 170558460851.3727844.556334013004248238.reportbug@elende.valinor.li>
References: <[🔎] 170558460851.3727844.556334013004248238.reportbug@elende.valinor.li> <[🔎] 170558460851.3727844.556334013004248238.reportbug@elende.valinor.li>

Hi,

On Thu, Jan 18, 2024 at 02:30:08PM +0100, Salvatore Bonaccorso wrote:
> Source: xorg-server
> Version: 2:21.1.11-1
> Severity: important
> Tags: upstream
> X-Debbugs-Cc: carnil@debian.org, jcristau@debian.org, apo@debian.org, team@security.debian.org
> 
> While preparing the update for xorg-server for bookworm an autopkgtest
> regression in uqm was seen. The same is shown with the 2:21.1.11-1
> upload to unstable:
> 
> https://ci.debian.net/packages/u/uqm/testing/amd64/41866714/
> 
> Julien Cristau was able to reproduce the leak independly from uqm:
> 
> Xvfb :10 & sleep 2; DISPLAY=:10 xdpyinfo >/dev/null
> 
> resulting in
> 
> 1 XSELINUXs still allocated at reset
> SCREEN: 0 objects of 304 bytes = 0 total bytes 0 private allocs
> DEVICE: 0 objects of 88 bytes = 0 total bytes 0 private allocs
> CLIENT: 0 objects of 144 bytes = 0 total bytes 0 private allocs
> WINDOW: 0 objects of 48 bytes = 0 total bytes 0 private allocs
> PIXMAP: 0 objects of 16 bytes = 0 total bytes 0 private allocs
> GC: 0 objects of 16 bytes = 0 total bytes 0 private allocs
> CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs
> TOTAL: 1 objects, 8 bytes, 0 allocs
> 1 CURSORs still allocated at reset
> CURSOR: 1 objects of 8 bytes = 8 total bytes 0 private allocs
> TOTAL: 1 objects, 8 bytes, 0 allocs
> 1 CURSOR_BITSs still allocated at reset
> TOTAL: 0 objects, 0 bytes, 0 allocs
> 
> As per upstream commit bisection it seems that the first bad commit is
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
> which is related for the CVE-2024-21886 fix.

There is a fix for that upstream (the issue did not affect the master
branch which contains the following commit, which is not in the
21.1.y):

https://gitlab.freedesktop.org/xorg/xserver/-/issues/1623#note_2248117
https://gitlab.freedesktop.org/xorg/xserver/-/commit/1801fe0ac3926882d47d7e1ad6c0518a2cdffd41

Proposed merge request for unstable:

https://salsa.debian.org/xorg-team/xserver/xorg-server/-/merge_requests/9

Regards,
Salvatore

Reply to:

References:
- Bug#1061110: xorg-server: Regression from fixes for CVE-2024-21886
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1061287: libllvmspirvlib-15-dev is needed even with rusticl disabled
Next by Date: [Git][xorg-team/wayland/weston] Pushed new tag debian/13.0.0-1
Previous by thread: Bug#1061110: xorg-server: Regression from fixes for CVE-2024-21886
Next by thread: Bug#1061110: marked as done (xorg-server: Regression from fixes for CVE-2024-21886)
Index(es):
- Date
- Thread