Bug#1098906: marked as done (xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 26 Feb 2025 09:39:08 +0000
with message-id <E1tnDsi-00CAyb-4I@fasolo.debian.org>
and subject line Bug#1098906: fixed in xorg-server 2:21.1.16-1
has caused the Debian Bug report #1098906,
regarding xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1098906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098906
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 25 Feb 2025 21:41:00 +0100
• Message-id: <[🔎] 174051606027.836643.16300492774801378451.reportbug@eldamar.lan>

Source: xorg-server
Version: 2:21.1.15-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2:21.1.7-3
Control: fixed -1 2:21.1.7-3+deb12u9

Hi,

The following vulnerabilities were published for xorg-server.

CVE-2025-26594[0]:
| A use-after-free flaw was found in X.Org and Xwayland. The root
| cursor is referenced in the X server as a global variable. If a
| client frees the root cursor, the internal reference points to freed
| memory and causes a use-after-free.


CVE-2025-26595[1]:
| A buffer overflow flaw was found in X.Org and Xwayland. The code in
| XkbVModMaskText() allocates a fixed-sized buffer on the stack and
| copies the names of the virtual modifiers to that buffer. The code
| fails to check the bounds of the buffer and would copy the data
| regardless of the size.


CVE-2025-26596[2]:
| A heap overflow flaw was found in X.Org and Xwayland. The
| computation of the length in XkbSizeKeySyms() differs from what is
| written in XkbWriteKeySyms(), which may lead to a heap-based buffer
| overflow.


CVE-2025-26597[3]:
| A buffer overflow flaw was found in X.Org and Xwayland. If
| XkbChangeTypesOfKey() is called with a 0 group, it will resize the
| key symbols table to 0 but leave the key actions unchanged. If the
| same function is later called with a non-zero value of groups, this
| will cause a buffer overflow because the key actions are of the
| wrong size.


CVE-2025-26598[4]:
| An out-of-bounds write flaw was found in X.Org and Xwayland. The
| function GetBarrierDevice() searches for the pointer device based on
| its device ID and returns the matching value, or supposedly NULL, if
| no match was found. However, the code will return the last element
| of the list if no matching device ID is found, which can lead to
| out-of-bounds memory access.


CVE-2025-26599[5]:
| An access to an uninitialized pointer flaw was found in X.Org and
| Xwayland. The function compCheckRedirect() may fail if it cannot
| allocate the backing pixmap. In that case, compRedirectWindow() will
| return a BadAlloc error without validating the window tree marked
| just before, which leaves the validated data partly initialized and
| the use of an uninitialized pointer later.


CVE-2025-26600[6]:
| A use-after-free flaw was found in X.Org and Xwayland. When a device
| is removed while still frozen, the events queued for that device
| remain while the device is freed. Replaying the events will cause a
| use-after-free.


CVE-2025-26601[7]:
| A use-after-free flaw was found in X.Org and Xwayland. When changing
| an alarm, the values of the change mask are evaluated one after the
| other, changing the trigger values as requested, and eventually,
| SyncInitTrigger() is called. If one of the changes triggers an
| error, the function will return early, not adding the new sync
| object, possibly causing a use-after-free when the alarm eventually
| triggers.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26594
    https://www.cve.org/CVERecord?id=CVE-2025-26594
[1] https://security-tracker.debian.org/tracker/CVE-2025-26595
    https://www.cve.org/CVERecord?id=CVE-2025-26595
[2] https://security-tracker.debian.org/tracker/CVE-2025-26596
    https://www.cve.org/CVERecord?id=CVE-2025-26596
[3] https://security-tracker.debian.org/tracker/CVE-2025-26597
    https://www.cve.org/CVERecord?id=CVE-2025-26597
[4] https://security-tracker.debian.org/tracker/CVE-2025-26598
    https://www.cve.org/CVERecord?id=CVE-2025-26598
[5] https://security-tracker.debian.org/tracker/CVE-2025-26599
    https://www.cve.org/CVERecord?id=CVE-2025-26599
[6] https://security-tracker.debian.org/tracker/CVE-2025-26600
    https://www.cve.org/CVERecord?id=CVE-2025-26600
[7] https://security-tracker.debian.org/tracker/CVE-2025-26601
    https://www.cve.org/CVERecord?id=CVE-2025-26601
[8] https://lists.x.org/archives/xorg-announce/2025-February/003584.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1098906-close@bugs.debian.org
• Subject: Bug#1098906: fixed in xorg-server 2:21.1.16-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 26 Feb 2025 09:39:08 +0000
• Message-id: <E1tnDsi-00CAyb-4I@fasolo.debian.org>
• Reply-to: Emilio Pozuelo Monfort <pochu@debian.org>

Source: xorg-server
Source-Version: 2:21.1.16-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1098906@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Feb 2025 10:22:45 +0100
Source: xorg-server
Architecture: source
Version: 2:21.1.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Closes: 1098906
Changes:
 xorg-server (2:21.1.16-1) unstable; urgency=medium
 .
   * New upstream release. Fixes:
     - CVE-2025-26594: use-after-free of the root cursor
     - CVE-2025-26595: buffer overflow in XkbVModMaskText
     - CVE-2025-26596: heap overflow in XkbWriteKeySyms
     - CVE-2025-26597: buffer overflow in XkbChangeTypesOfKey
     - CVE-2025-26598: out-of-bounds write in CreatePointerBarrierClient
     - CVE-2025-26599: use of uninitialized pointer in compRedirectWindow
     - CVE-2025-26600: use-after-free in PlayReleasedEvents
     - CVE-2025-26601: use-after-free in SyncInitTrigger
     (Closes: #1098906).
   * debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff,
     debian/patches/xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch:
     - Dropped, included upstream.
Checksums-Sha1:
 a7c38e11e10c5113288bb67f27b317a3ad01755c 4041 xorg-server_21.1.16-1.dsc
 a12d7fb7ef065cc2e2877f7b8e7bf054b41c0c44 8954623 xorg-server_21.1.16.orig.tar.gz
 73a3ec36474b9f3094ba2877e7d279772d43f19f 178358 xorg-server_21.1.16-1.diff.gz
 526c755197dfee18d49fda212a055c9850a35328 9655 xorg-server_21.1.16-1_source.buildinfo
Checksums-Sha256:
 b821ee77fba22d7d68c556c5eab73817d3ff37c00f08cb746cf43980b4973909 4041 xorg-server_21.1.16-1.dsc
 59fa52b63f6f8747ee2c4716decb29ced249c4c574e2a18c96b7d3b1420f7fd9 8954623 xorg-server_21.1.16.orig.tar.gz
 b2a59bb0707e7687001fb1d44661934195297a00f8418e1fda60dc9d8989d66f 178358 xorg-server_21.1.16-1.diff.gz
 09fe9ebbba49cc0aeab585d5e6d6c936c1b955f01bb7315808a52c5b34870a61 9655 xorg-server_21.1.16-1_source.buildinfo
Files:
 8a34329d5d91a3f8936945d184bc3be4 4041 x11 optional xorg-server_21.1.16-1.dsc
 4c220da8d47467a2cb555c437466fd81 8954623 x11 optional xorg-server_21.1.16.orig.tar.gz
 30aecc7ea11cefc592c7d06722806dc6 178358 x11 optional xorg-server_21.1.16-1.diff.gz
 674204199fca3641ca09fa5661e1ed7b 9655 x11 optional xorg-server_21.1.16-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAme+3XIACgkQnUbEiOQ2
gwKlphAApD3UfANoP/4O6y7Gvjz4kKr+wVMfBwqhxhmRtZNVL4lsQjKuNkqGeGz/
NXqz4BiIy+ZsALpwjlmurO6lGLNHD7JlTdHfGIzh+BoXFRUtHWA0qEMS+KeYfJM2
/u8cOVhwIjSBYU/8c58tXznQcNSHWhGPvyT1UZy6bVyChMg/H/5iAaevDUgfZArJ
PCJ9FNQ8ql68LlvNC1hyXZQHOyNkmuyZWx1rBvVVxROL68gnF7iJMY/yM0vrvhkr
uWuPMUq6IR31QUxQ6/MMnAdyOoQmHXZDzcRp5vt9klIizIGCkKqYJZHtc5IvpG1K
1MtMzom0xGvQfJ8FWCX+6Uq6+UdcTTd+3aXqDa/8C+hP77CNFWcQhiJVtuJA56Br
YJMVM9rVMGX+Y26Zqhreu1Z+dJW+k+N1RqrAyP8pG4Lr1HTjl2uecDGy5oXwYWDl
h7tiIAbs3bPdobVEzVp1fcNnmJ9GJ0QUIJEq5hWCKM/L2zcKwZ6ozs0rvR7UB7OJ
3SwGCmNcZttJZRWSXY5+Sq+bbBMMbc2vvyZojUVA8fiY8a1SH8wRcmowUNJ6S298
a4T+3CKpHBUs3SHQtb6euffXqtwqdswwW6WqwrNqrs7c6aMLpCWOOof86bFV+9qI
fjLEUCuEEYlW0fy6aFAKCNqfcGsVhRyVPkjSZQUAY2D9GBjYY0A=
=yHtE
-----END PGP SIGNATURE-----

Attachment: pgpYjS7NAtLDw.pgp
Description: PGP signature

--- End Message ---