diff mbox series

[meta-oe,scarthgap,RFC,13/14] tigervnc: patch CVE-2025-26600

Message ID 20260127130116.1902238-14-skandigraun@gmail.com
State New
Headers show
Series TigerVNC CVEs | expand

Commit Message

Gyorgy Sarvari Jan. 27, 2026, 1:01 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26600

Pick the patch that explicitly mentions this CVE ID in its commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../tigervnc/files/CVE-2025-26600.patch       | 70 +++++++++++++++++++
 .../tigervnc/tigervnc_1.11.0.bb               |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch
new file mode 100644
index 0000000000..39b297c705
--- /dev/null
+++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch
@@ -0,0 +1,70 @@ 
+From 4776fc7f70250df69cd1000196d08ba2c5e57894 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 16 Dec 2024 16:18:04 +0100
+Subject: [PATCH] dix: Dequeue pending events on frozen device on removal
+
+From: Olivier Fourdan <ofourdan@redhat.com>
+
+When a device is removed while still frozen, the events queued for that
+device remain while the device itself is freed.
+
+As a result, replaying the events will cause a use after free.
+
+To avoid the issue, make sure to dequeue and free any pending events on
+a frozen device when removed.
+
+CVE-2025-26600, ZDI-CAN-25871
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
+(cherry picked from commit 826cef825fe49a275deb28e85b8c714b697f5efa)
+
+CVE: CVE-2025-26600
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/826cef825fe49a275deb28e85b8c714b697f5efa]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ dix/devices.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 7776498f8..deac30908 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
+ 
+ }
+ 
++static void
++FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
++{
++    QdEventPtr qe, tmp;
++
++    if (!dev->deviceGrab.sync.frozen)
++        return;
++
++    /* Dequeue any frozen pending events */
++    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
++        if (qe->device == dev) {
++            xorg_list_del(&qe->next);
++            free(qe);
++        }
++    }
++}
++
+ /**
+  * Close down a device and free all resources.
+  * Once closed down, the driver will probably not expect you that you'll ever
+@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev)
+         free(dev->last.touches[j].valuators);
+     free(dev->last.touches);
+     dev->config_info = NULL;
++    FreePendingFrozenDeviceEvents(dev);
+     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
+     free(dev);
+ }
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
index 1a2b4df7af..f8f53c4c91 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
@@ -33,6 +33,7 @@  SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
            file://CVE-2025-26598.patch;patchdir=${XORG_S} \
            file://CVE-2025-26599-1.patch;patchdir=${XORG_S} \
            file://CVE-2025-26599-2.patch;patchdir=${XORG_S} \
+           file://CVE-2025-26600.patch;patchdir=${XORG_S} \
 "
 
 # Keep sync with xorg-server in oe-core