Bug#1098907: marked as done (xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 26 Feb 2025 09:39:22 +0000
with message-id <E1tnDsw-00CB2T-4g@fasolo.debian.org>
and subject line Bug#1098907: fixed in xwayland 2:24.1.6-1
has caused the Debian Bug report #1098907,
regarding xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1098907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098907
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 25 Feb 2025 21:55:19 +0100
• Message-id: <[🔎] 174051691911.838669.7425170566026838551.reportbug@eldamar.lan>

Source: xwayland
Version: 2:24.1.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for xwayland.

CVE-2025-26594[0]:
| A use-after-free flaw was found in X.Org and Xwayland. The root
| cursor is referenced in the X server as a global variable. If a
| client frees the root cursor, the internal reference points to freed
| memory and causes a use-after-free.


CVE-2025-26595[1]:
| A buffer overflow flaw was found in X.Org and Xwayland. The code in
| XkbVModMaskText() allocates a fixed-sized buffer on the stack and
| copies the names of the virtual modifiers to that buffer. The code
| fails to check the bounds of the buffer and would copy the data
| regardless of the size.


CVE-2025-26596[2]:
| A heap overflow flaw was found in X.Org and Xwayland. The
| computation of the length in XkbSizeKeySyms() differs from what is
| written in XkbWriteKeySyms(), which may lead to a heap-based buffer
| overflow.


CVE-2025-26597[3]:
| A buffer overflow flaw was found in X.Org and Xwayland. If
| XkbChangeTypesOfKey() is called with a 0 group, it will resize the
| key symbols table to 0 but leave the key actions unchanged. If the
| same function is later called with a non-zero value of groups, this
| will cause a buffer overflow because the key actions are of the
| wrong size.


CVE-2025-26598[4]:
| An out-of-bounds write flaw was found in X.Org and Xwayland. The
| function GetBarrierDevice() searches for the pointer device based on
| its device ID and returns the matching value, or supposedly NULL, if
| no match was found. However, the code will return the last element
| of the list if no matching device ID is found, which can lead to
| out-of-bounds memory access.


CVE-2025-26599[5]:
| An access to an uninitialized pointer flaw was found in X.Org and
| Xwayland. The function compCheckRedirect() may fail if it cannot
| allocate the backing pixmap. In that case, compRedirectWindow() will
| return a BadAlloc error without validating the window tree marked
| just before, which leaves the validated data partly initialized and
| the use of an uninitialized pointer later.


CVE-2025-26600[6]:
| A use-after-free flaw was found in X.Org and Xwayland. When a device
| is removed while still frozen, the events queued for that device
| remain while the device is freed. Replaying the events will cause a
| use-after-free.


CVE-2025-26601[7]:
| A use-after-free flaw was found in X.Org and Xwayland. When changing
| an alarm, the values of the change mask are evaluated one after the
| other, changing the trigger values as requested, and eventually,
| SyncInitTrigger() is called. If one of the changes triggers an
| error, the function will return early, not adding the new sync
| object, possibly causing a use-after-free when the alarm eventually
| triggers.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26594
    https://www.cve.org/CVERecord?id=CVE-2025-26594
[1] https://security-tracker.debian.org/tracker/CVE-2025-26595
    https://www.cve.org/CVERecord?id=CVE-2025-26595
[2] https://security-tracker.debian.org/tracker/CVE-2025-26596
    https://www.cve.org/CVERecord?id=CVE-2025-26596
[3] https://security-tracker.debian.org/tracker/CVE-2025-26597
    https://www.cve.org/CVERecord?id=CVE-2025-26597
[4] https://security-tracker.debian.org/tracker/CVE-2025-26598
    https://www.cve.org/CVERecord?id=CVE-2025-26598
[5] https://security-tracker.debian.org/tracker/CVE-2025-26599
    https://www.cve.org/CVERecord?id=CVE-2025-26599
[6] https://security-tracker.debian.org/tracker/CVE-2025-26600
    https://www.cve.org/CVERecord?id=CVE-2025-26600
[7] https://security-tracker.debian.org/tracker/CVE-2025-26601
    https://www.cve.org/CVERecord?id=CVE-2025-26601
[8] https://lists.x.org/archives/xorg-announce/2025-February/003584.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1098907-close@bugs.debian.org
• Subject: Bug#1098907: fixed in xwayland 2:24.1.6-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 26 Feb 2025 09:39:22 +0000
• Message-id: <E1tnDsw-00CB2T-4g@fasolo.debian.org>
• Reply-to: Emilio Pozuelo Monfort <pochu@debian.org>

Source: xwayland
Source-Version: 2:24.1.6-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>

We believe that the bug you reported is fixed in the latest version of
xwayland, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1098907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated xwayland package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Feb 2025 10:22:59 +0100
Source: xwayland
Architecture: source
Version: 2:24.1.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Closes: 1098907
Changes:
 xwayland (2:24.1.6-1) unstable; urgency=medium
 .
   * New upstream release. Fixes:
     - CVE-2025-26594: use-after-free of the root cursor
     - CVE-2025-26595: buffer overflow in XkbVModMaskText
     - CVE-2025-26596: heap overflow in XkbWriteKeySyms
     - CVE-2025-26597: buffer overflow in XkbChangeTypesOfKey
     - CVE-2025-26598: out-of-bounds write in CreatePointerBarrierClient
     - CVE-2025-26599: use of uninitialized pointer in compRedirectWindow
     - CVE-2025-26600: use-after-free in PlayReleasedEvents
     - CVE-2025-26601: use-after-free in SyncInitTrigger
     (Closes: #1098907).
Checksums-Sha1:
 b50ad66e2119298104e4caa0f368159871c61b57 2278 xwayland_24.1.6-1.dsc
 8425074a39f44831dae96a9db41ad31f824c2eca 1302600 xwayland_24.1.6.orig.tar.xz
 b98edc196a9e053e6797e1b837c33cd06b606458 34952 xwayland_24.1.6-1.debian.tar.xz
 f9146c1c337734b7af0a7cee41e8ba703a000a85 9216 xwayland_24.1.6-1_source.buildinfo
Checksums-Sha256:
 25f96591e3c3fe674ab830ef0557141658fb14cf91f56defb33ac3420435e368 2278 xwayland_24.1.6-1.dsc
 737e612ca36bbdf415a911644eb7592cf9389846847b47fa46dc705bd754d2d7 1302600 xwayland_24.1.6.orig.tar.xz
 fcfc0c634b7aaaa059c2e9337da2330c6b5c20b084009494d144c34bac9715ef 34952 xwayland_24.1.6-1.debian.tar.xz
 f2077a6cb89fbdd88cdc922eade5eccb9df07092b368fe1280ad0f3a7fdc0600 9216 xwayland_24.1.6-1_source.buildinfo
Files:
 d2be53f92046e2123f816573e3325e80 2278 x11 optional xwayland_24.1.6-1.dsc
 78067c218323fe2a496ca5f2145fe7ab 1302600 x11 optional xwayland_24.1.6.orig.tar.xz
 4f98a58befad72ddbaba428972feca2b 34952 x11 optional xwayland_24.1.6-1.debian.tar.xz
 08d02b2306ff001c9c68639c01dad006 9216 x11 optional xwayland_24.1.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAme+3YsACgkQnUbEiOQ2
gwIDUQ//cNllfT14VbDweytv1kJJ8Dy/wm3/ghJSU2fsontCrUqQu1vgeLwmcadd
D/UbYetD6jJIInpXDTfoKq/vaMUKW9YHoCjoHPQKyZeGcjLeV3ng1U5MqKHPbajv
fh/WBhCV/075z21lycuxpSL70tc7VzLZW/W2KSAWYbQYHg3ARAh+j2IDWrbnM2mm
ko8mURYwSSJjMM6HGF8/xWL+ctq2+JHoaV9PVIYn7DaOev6Nt+hHvYtd92tA1fQT
kh0fSoRXE4vlqWyK1sw8UIonHlcsuHbVyZzq16+dDXFBeI8pNHLlrddCT7ISrUso
YTx/tzQFVjyUMY9ijaLnMY059eumkYW1PHJT6+/VhD5plEHKUThYWdXHgjLpCcAU
oLyvrE6h1sHt5Dx6aUhhgO1B0tTywpE7gQqaNddTfOvrMf+lEVfhJkiSi2cVXWL/
OYUuw3iInY2TFGr1DPzgefX5E/dufcz8t5i+cMHQjoExDK64KaGCcjwEpsy1Ri2A
Q6D9iuH/vhDf/FXP8ZcKOcGLZpQ1Ui4JMQkirOT0Fl4YRQULMw0xSMiz3Qj9BgSw
WNJDHudP0gvxMYSWDkYjisQSxBXoSknmQntl1FbAKJZ9Tl9CRUm5JuJ+Ykre5gun
jd3yXYNDjJO+/T7uIq5YAIsrTM6FJNvJlyQ+jeK9bdXo0ZZdpVM=
=RbOs
-----END PGP SIGNATURE-----

Attachment: pgpFjngwZb7HY.pgp
Description: PGP signature

--- End Message ---