CVE-2025-49175: Out-of-bounds access in X Rendering extension
(Animated cursors)
CVE-2025-49176: Integer overflow in Big Requests Extension
CVE-2025-49177: Data leak in XFIXES Extension 6
(XFixesSetClientDisconnectMode)
CVE-2025-49178: Unprocessed client request via bytes to ignore
CVE-2025-49179: Integer overflow in X Record extension
CVE-2025-49180: Integer overflow in RandR extension
(RRChangeProviderProperty)
CVE-2025-26594: Use-after-free of the root cursor
CVE-2025-26595: Buffer overflow in XkbVModMaskText()
CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
CVE-2025-26600: Use-after-free in PlayReleasedEvents()
CVE-2025-26601: Use-after-free in SyncInitTrigger()
from config file" messages. These were printed after hotplug events which
could be frequent in some cases (I have machines where this happens every
10 seconds when the monitor is in a dpms power-saving mode resulting in a
full /var/log filesystem).
EDID vendor/product ID still logged, giving an indication that events are
happening, but reduced from ~3.5KB per event to <100 bytes.
based on a diff from / ok matthieu@
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
CVE-2024-9632
implementations:
1) CVE-2023-6816 can be triggered by passing an invalid array index to
DeviceFocusEvent or ProcXIQueryPointer.
2) CVE-2024-0229 can be triggered if a device has both a button and a
key class and zero buttons.
3) CVE-2024-21885 can be triggered if a device with a given ID was
removed and a new device with the same ID added both in the same
operation.
4) CVE-2024-21886 can be triggered by disabling a master device with
disabled slave devices.
5) CVE-2024-0409 can be triggered by enabling SELinux
xserver_object_manager and running a client.
6) CVE-2024-0408 can be triggered by enabling SELinux
xserver_object_manager and creating a GLX PBuffer.
image format. This is a format with num_planes == 2, so we have only 2
elements in offsets[] and pitches[].
Bug found by otto@ using his strict malloc checking.
our uint64_t is an unsinged long long, but CARD64 is defined as unsigned long
so the function pointer types in both glamor and xf86-video-amdgpu were
mismatched and clang-16 treats that as an error
ok matthieu@
This does *not* include the commit that reverts the new computation
of the screen resolution from dimensions returned by the screen since
many of you told they prefer the new behaviour from 21.1.1.
This is going to be discussed again before 7.1
