From patchwork Tue Jan 27 13:01:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79845 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97EA2D2F01C for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10164.1769518881086798465 for ; Tue, 27 Jan 2026 05:01:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BqIfIyAm; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-430f2ee2f00so3338948f8f.3 for ; Tue, 27 Jan 2026 05:01:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518879; x=1770123679; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fW0D/CYl2n2n2OSUFzf+4vxRHBbEONdmuWy6YfGnF2c=; b=BqIfIyAmmb7o4RsmNt7JnLVkh5lGLIk+OQZkdwf8VmXUWENSNetdST8GMZ/xDbq5SU v9/jh6UpNp7WZf3FNgcsGEu0cmuNA2Nm43Cu0MfaRP1Tp47LH5vfw1wjbS3NsB1TfEI+ eHiacsyzKKMQWLujE+/edWJZOmddJCB6KKWn11v7psmsIo+kLU/3Ks+KS19Es9S0dUXK t868U7J9rGme5bm0//kCND+PFxatM4xe1uGYpfV5cCEgHzS5EpFb+WNnc091WIzrki0i 9J6vojNYUBOhod3BPF/ZVDZwsqS+YEU/NdpTPYeSbVjE5PyjT6dcp87AxnkDCdQS6hc0 JHfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518879; x=1770123679; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=fW0D/CYl2n2n2OSUFzf+4vxRHBbEONdmuWy6YfGnF2c=; b=FQwzYEHpROjuiftuhUuPMUG93GThWow6SFGV6K/PeRst4HpfOfH64zDK9f+r72rIXJ RNUfruLaC2igroihSHSeEnPzfATtr5X7yo2woarqtNlN870Gg1E056Egn6gxpdmhMgst GvhDInz5N/bmPFfzFqtDDEMKg83zjFJNB0jecekixMw0o+K21S9VPG377xmYA2rxTxX1 50PP2qBQ+q8zs0K5/22jJFE+ILQ0lE/1jPKsK+ozzNE4nVt+Cbj2xYMK95RNxW6AD0Jv 06DjMBxzJqxmTsocCV0iBHS0JN/LO117kHfBw3QdO8c5itewHFOtYZuOreVmcRUNDK47 mz8w== X-Gm-Message-State: AOJu0YyuWkD9fTZw0I9bxPBmdtlaFy21HcG2VWN8rOVQeip+6qiSUkL8 fKI1/RXYTfMl6UQjRu05JIjoGIUyvJekpltE2a/y/UfBldN/rt1qhKpz3VycbQ== X-Gm-Gg: AZuq6aIzJZk2aoc/ChEMMVtcU4z7iRiCjQI3G+4cLbreSlfSb/ToPWkNACxzbx1mo3m kJlCgy/PRijqv+VQR5n7KlcIJjW+4h9gN16vqvDKgvCbgCPPIKXl1bbdy/DecXR1rdSy2DxYMbv 9IqP3FtZTQhgMccZg6BkEGIGh/QvjRcB0LAY2Tp4JVZ2SAB5QW5r7cjWLKK8Cx9RkkUTLeofGKf DXiYEocm51WawDnTEm9Nq4v7kn+d4Zj+oyOP1a5R6yq3RXxuVTfs7RpCe4lVVBg9MNuZ8P9J8E9 s7xx6h4Vs/W8sInL4cVho6KIi2Tnn6I4t5Qm2y+RXGoQfK6Z0k0yAGHugEwr+qbmoTUtuBFliKu AbpKJpszRUL0j9LLflgj6NyMvPhbjz14upZlrBoQU/xQ4dD64kPl8Ug8606JJbhkCXo3DanR4gG Y2qxEDiNDq X-Received: by 2002:a05:6000:288e:b0:432:5c34:fb22 with SMTP id ffacd0b85a97d-435dd05beb0mr2282343f8f.22.1769518879289; Tue, 27 Jan 2026 05:01:19 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:18 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 01/14] tigervnc: upgrade xorg-server component Date: Tue, 27 Jan 2026 14:01:01 +0100 Message-ID: <20260127130116.1902238-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123941 Update xserver to the latest dot version of the used series. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 5cde7c9fb4..e3e2b6ee16 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -25,11 +25,11 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht # Keep sync with xorg-server in oe-core XORG_PN ?= "xorg-server" -XORG_PV ?= "1.20.6" -SRC_URI += "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${XORG_PV}.tar.bz2;name=xorg" +XORG_PV ?= "1.20.14" +SRC_URI += "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${XORG_PV}.tar.xz;name=xorg" XORG_S = "${WORKDIR}/${XORG_PN}-${XORG_PV}" -SRC_URI[xorg.md5sum] = "a98170084f2c8fed480d2ff601f8a14b" -SRC_URI[xorg.sha256sum] = "6316146304e6e8a36d5904987ae2917b5d5b195dc9fc63d67f7aca137e5a51d1" +SRC_URI[xorg.md5sum] = "46f571adb51ebadb6981bc25d771f2b9" +SRC_URI[xorg.sha256sum] = "5cc5b70b9be89443e2594b93656c60bd5e82cd7f01deb4ce4faf81dcf546a16b" # It is the directory containing the Xorg source for the # machine on which you are building TigerVNC. From patchwork Tue Jan 27 13:01:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79848 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7F42D2F01F for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10166.1769518882151440015 for ; Tue, 27 Jan 2026 05:01:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ghOdqOEO; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4327555464cso3950189f8f.1 for ; Tue, 27 Jan 2026 05:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518880; x=1770123680; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZKNZaPHwrC8K8QLtmpfDGKWFrdvgIpyvtT5z3PyZA9k=; b=ghOdqOEO6SF0NZ/v5vwo8JycnHiqpmdcmlPNCYEO4j6dgR1cHXW+JgqyvMd8Gs5FjT 2JJaP9xfF+4/pdRL9liXrV0YuIkehztjAjWIckbFEIZMst5yZj5JBoRXBcgQuo6HvBNW 5F6/nMIm8tJqcXHgQViuIqcyYOGtWf4y0t+80DPpXXvaofD88ctzaKJOniqlxIte+10g +sGOr1DV1BLc+NaqPsN3W7YGzWdasa1TLBIhC6x9JsHocvNPxEixr2coCfDD9KbhNQRt E2t+WBRpn8k8zeXAEtseQyD5QH6Ov3zraaG9txBE38FRce2b21nPM9piS29JoBfbqQoz bg5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518880; x=1770123680; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZKNZaPHwrC8K8QLtmpfDGKWFrdvgIpyvtT5z3PyZA9k=; b=BnKubYN/fQ/3Ofw5rc7hbV4P9m9e23ZhFtzcqS68vrs+ccZqVAXcTPgLXtikbdzwCP maza3OKa9MU3VeRZIdwz8o2Y1dRRUkarpEcMtFzAIW2yUsI7lh+g+PD9PFSTovK8mRHD vwq0bz7Oy7TsbKDo0NPykcRMDfTFolygtE35nwQ8ti7LI5DXN0BKOWu3/ZEznGl0P1Kc ZQbLwfshGAvrWB1cyRJpRqoyR7sE3X/MGm/bbhtJ5NmP0K/GzCl+KL18z2iv2AN46hZI pmEg1pAHsgAxHi1zzVqGt/AK0goF1XNlGRg9QMRLXPx0SyRN+utM6rGsCc5uQgENkB2Y u3xQ== X-Gm-Message-State: AOJu0YwLsAjkYB/RWLu+THhZvWedM1bvHPs2cH/y1gHo6pdFP7NjJUE/ B8nax24SjDBSY+SfXv40bBav2X3dJQbsXyf1bPSeGQByWScYS/hycvXyOk74Jg== X-Gm-Gg: AZuq6aJ+PEPUOn8qr4kbDmflyyXX+zoOa99efz/FmzStpnbYZf+CG8YYnBok+gwhN4K Z1nqZJpig0apXBDrJQUqhlcwnEaMiV9K1P+W3/9YxGFbbjwQA8PMzgIfqED6aM+DdUc89IOX1JB PklfaJ98wB1bX6Jy4+tzq3wLGHOZzPBo3t87sd8FaVfwOS28vIvZxqzOSLkEZJeqF4QkB1NgVMa zbPCkuvkTsrzFD1XtVxJ4GqTNoq9OVSeU8FJEHKRdcpDLB2zxoysLNdtL8c/++CZB5b7eK28lVH DnlmP/9YIyw74Uaf6V2qHWDga63K7u9VpIHdRyCSRqr9Wy1LkvsBTt8hQEmVEciXa6wFPlvPzkG ux/cpFWgTOZygykxMuDUfG7wFnfp9cvrIIHPN7o8xOKxzSvpYz9VXhVUSOEjPgYwZ5OY4Mjz3T2 TmxikDYmSx X-Received: by 2002:a05:6000:26cc:b0:430:fd84:3175 with SMTP id ffacd0b85a97d-435dd0bb419mr2670987f8f.38.1769518880177; Tue, 27 Jan 2026 05:01:20 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:19 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 02/14] tigervnc: ignore CVE-2014-8241 Date: Tue, 27 Jan 2026 14:01:02 +0100 Message-ID: <20260127130116.1902238-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123942 Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241 The vulnerability is about a potential null-pointer dereference, because of a malloc result is not verified[1]. The vulnerable code has been refactored since completely[2], and the code isn't present anymore in the codebase. [1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment [2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit ed8a1038d227ee521cf2349d9f7f8e37eec6a64a) Fixed typo in CVE ID. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index e3e2b6ee16..fa0661dffe 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -131,3 +131,5 @@ FILES:${PN} += " \ " FILES:${PN}-dbg += "${libdir}/xorg/modules/extensions/.debug" + +CVE_STATUS[CVE-2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.11.0)" From patchwork Tue Jan 27 13:01:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79842 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BC1DD2F00B for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10167.1769518882791228738 for ; Tue, 27 Jan 2026 05:01:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LRj8fjvC; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-432755545fcso4222776f8f.1 for ; Tue, 27 Jan 2026 05:01:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518881; x=1770123681; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=f/x0VxxHRrNZYjDI/hyMisGgYvG7tCXXV60jup7dyl0=; b=LRj8fjvCiT6ylXCsehBiVQVfL5kSkCm7ACkjYWEpzI3CK4JARG9ziEKbdjKK7YnCAc Iw/1040bExnZQK13qSya4JrTjRzSyzHQjyXXfA+j1NL7jpQw8kzLWThOcNFuxpBTmpBx 1VbVNKAwDvVm9AT/EwCBMVE/M5U9/l8M95cyWn0s3zxA/3/B6WU+C9VXGnqZWVcQeuo0 Ztk0OG4ibmdJThpvnY+iwFCc5qxj3T33YTDxUquo8BwIldXTkOzNvH/ZJFUBix4ZuMGY yYqiYVAELMv16dfyJyyO3tfZc2TimnKkx9iiyzvMoHc6pdZ+4ePq7Zs+GmBObPVWPKUJ jXYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518881; x=1770123681; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=f/x0VxxHRrNZYjDI/hyMisGgYvG7tCXXV60jup7dyl0=; b=IsamEqArgxuQFxU129y50qfcfVOosbupOAlwqicEtVli3p+Ma1MNRqPWovweg81BZI u8OhsSNKuGXISUl5H2kGtF852pjeczFIMQ0s7PFp2L7bWVEOlisFXkj0PZDOSIJu2q1Q lg9Nc4ahTwV7Q5wzD7TRiaRKZynW6zn+w5tggfRaB0KFI7naBB2b36PeuYEI3aGCB5QY NEb0AxjzrpG/9Z0naeSWXPsdnTvwDoOU6htKYVb6LJoxliq5tGZTZjq1nGIZW4FR9fAx X57AGJ/prEUVano8ew88DZ+mMto3PDS2RwBaqznZq+rQqEqOjreph6Zh4ypxQKGEbuIE jbyg== X-Gm-Message-State: AOJu0Yy6/ts4OHk5UotIm/M9ZtgXQO9Dy8PD4hlrse55pyXubFUZMEuq Xl17UA8OC8pC7Y0a8y02COSGb+IFFOexCOC6XmrWHz1mf9SvYBvv+2UIh3ne4g== X-Gm-Gg: AZuq6aIX5OVSIAI36Lnu4TLAzENFu1X+E4oK5hXI0F/BwP9b400aVvDZ6bPIazXyUq+ x1vWBeGIyw7cQDBX+vo9BWV504O1VhrpHz0JeL9xOtQ+yTDKA96zHwyOIQ7y89J8gVPLnoPpEGj mIe0Rf0t/OmbVPnTIyfv7whyy38njaw4Un3qC5+rIFcVxiGxwVgdRFzG1A+2v47S0CiVRByeYg6 tjYfvoVWLIMKh7C9WKToy3f8BR7s5lAi4gUucE9yITYYtV6qbvLYgjNoEpStOv5Go2nqixIvC9s q2+5GS0SDakMMvUiKexBuB0ua4K1L0u4BHX91TTrn6A7O/xwrtA6h2/4SbZ6ZruqI6rs/E0SB9v WqaQWOwptL73lcnSwBauIzy1nZG1zR6mUmhcfv2PEi6wTZBwpgTZtrmHkTzgMkN2Wjfd/4f0Thh firtGbIgrL X-Received: by 2002:a05:6000:4023:b0:435:b728:c979 with SMTP id ffacd0b85a97d-435dd02da5bmr2100935f8f.8.1769518880982; Tue, 27 Jan 2026 05:01:20 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:20 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 03/14] tigervnc: patch CVE-2023-6377 Date: Tue, 27 Jan 2026 14:01:03 +0100 Message-ID: <20260127130116.1902238-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123943 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377 Pick the backported version of the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2023-6377.patch | 80 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch new file mode 100644 index 0000000000..d6dde0a9d2 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch @@ -0,0 +1,80 @@ +From 7eb0da0f29e975f67a5bef4560759672b84c7d22 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 28 Nov 2023 15:19:04 +1000 +Subject: [PATCH] Xi: allocate enough XkbActions for our buttons + +From: Peter Hutterer + +button->xkb_acts is supposed to be an array sufficiently large for all +our buttons, not just a single XkbActions struct. Allocating +insufficient memory here means when we memcpy() later in +XkbSetDeviceInfo we write into memory that wasn't ours to begin with, +leading to the usual security ooopsiedaisies. + +CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 0c1a93d319558fe3ab2d94f51d174b4f93810afd) + +CVE: CVE-2023-6377 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd] +Signed-off-by: Gyorgy Sarvari +--- + Xi/exevents.c | 12 ++++++------ + dix/devices.c | 10 ++++++++++ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 659816a46..fb6db8561 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -567,13 +567,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + } + + if (from->button->xkb_acts) { +- if (!to->button->xkb_acts) { +- to->button->xkb_acts = calloc(1, sizeof(XkbAction)); +- if (!to->button->xkb_acts) +- FatalError("[Xi] not enough memory for xkb_acts.\n"); +- } ++ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons); ++ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction)); + memcpy(to->button->xkb_acts, from->button->xkb_acts, +- sizeof(XkbAction)); ++ from->button->numButtons * sizeof(XkbAction)); + } + else + free(to->button->xkb_acts); +diff --git a/dix/devices.c b/dix/devices.c +index e7c74d7b7..7776498f8 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2502,6 +2502,8 @@ RecalculateMasterButtons(DeviceIntPtr slave) + + if (master->button && master->button->numButtons != maxbuttons) { + int i; ++ int last_num_buttons = master->button->numButtons; ++ + DeviceChangedEvent event = { + .header = ET_Internal, + .type = ET_DeviceChanged, +@@ -2512,6 +2514,14 @@ RecalculateMasterButtons(DeviceIntPtr slave) + }; + + master->button->numButtons = maxbuttons; ++ if (last_num_buttons < maxbuttons) { ++ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts, ++ maxbuttons, ++ sizeof(XkbAction)); ++ memset(&master->button->xkb_acts[last_num_buttons], ++ 0, ++ (maxbuttons - last_num_buttons) * sizeof(XkbAction)); ++ } + + memcpy(&event.buttons.names, master->button->labels, maxbuttons * + sizeof(Atom)); diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index fa0661dffe..7af347d858 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://0002-do-not-build-tests-sub-directory.patch \ file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ + file://CVE-2023-6377.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79844 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86B5ED2F018 for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10484.1769518883595613947 for ; Tue, 27 Jan 2026 05:01:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kUEHSc/k; spf=pass (domain: gmail.com, ip: 209.85.221.42, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-42fed090e5fso3448608f8f.1 for ; Tue, 27 Jan 2026 05:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518882; x=1770123682; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZlutXmArAiXLrl8PvE4S6IakkhDmugnQhl4ml8IaP98=; b=kUEHSc/kIqWAwzP41ApkuHxi+dPJFnwtzd9QkGnCZIxmOc2l4usqyefv6y2Ea31xd3 p66tSgW8l6GA8et37OTUlPSY5TImV9N3V4/so2D719wK/YivXGr4lCaAdwPkrkBEGz4t mKpjXbgtATjElr/eLlxYdpcmvZoA5uSXHT9gsxeg3FKwnvGiqAcucuEYVNTTwxHgI2mZ DPTAiQb2F2OHGP+6LTPh5k5AMPDvS8zIhEZxsTk5yKa3BC07+0SmwDKjyGAqsRTvewnM 8hoXZJg3liOJ9vzaPhkMuqb8uNrPj9Sky5t0J1V8XRjfiBvi0lxVnsGQ6bXhx5W2fh+I tg8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518882; x=1770123682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZlutXmArAiXLrl8PvE4S6IakkhDmugnQhl4ml8IaP98=; b=aiuW4g/uuIUAYe2jN7c0pPi2buekPrD3yd1rmTpGctoh6CDJHauS/R+/HyCdfCJue/ BWmFSBEZID2qXkvbMlVNXSgpWri+Rl6uLu7NPiVx17S5GvEtc2+mc3UgZlpclXWLIRK1 YMSv4VcOycRldoaYqBKvC5WYFjerUFgN6f04wO1jlecHQ1gt0oHKUPHcpYY26UNkuXPQ LZBwY+cKRST2+o+ilHTOJ9u18TWGB2dgBVPgpxI+0qoFvUJ1YanysJRI4zGRdtV8Mes7 QWKAxhWQEGmTCZUaP1BODKsyHJhZgB+cHttlHKGvklis+L302c0VPx2fRtRWbipzdZI4 vR3A== X-Gm-Message-State: AOJu0YxMfcfCWrd/mqcwU0pQZ1S0dkqBufzTN47YiYTDVjlYfLxW5fV0 KtXjgwhx5Z2PuuJhg4oSbz96+Ph+DeBnVRr+wDzyE+f1dSzSoWQB5SqJx1SSVg== X-Gm-Gg: AZuq6aL88tFupYCvJicoWgsokIXQxhc0bmUbRBk3VV0GONZoxRvyZuECI0BYcJndvSm 4sjW2xdbNYUrjqsH+j1hTEHXKOzaV0np3ADUFD4nySbKKoj1KUpRFIJk9FelZx5SZflOQonySgu 8RAEaBJBmjo1w3fnphbqyscqN0DhvqG8wNIP9SMZl4U6YpZxogLETpjYA6YXAh7e/XkVcsGTJS6 wZG2wdVFeJIsPP8poSFhrhuH1LByM1NS7qp4YLwUJZSv1ImpTVy+yGuRPjh9j+W42y69wdUPNyN EgUuvIjWIBHlO9AC1gMEpJj1a86myBRCXFq9cg4LTF/at50dUGNDssHQAHj3i0qHhEXY5dPsDs4 gVa1ZrpXqPTxW2UDDGzzwnrvranlUs2aRoML4ylW/NmsTr3nfL6fb+Q9XTE+NWbJpEfTP2Qbem/ PFrSEi7D8p X-Received: by 2002:a05:6000:230c:b0:435:9770:9eb6 with SMTP id ffacd0b85a97d-435dd1b9764mr2653330f8f.53.1769518881783; Tue, 27 Jan 2026 05:01:21 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:21 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 04/14] tigervnc: patch CVE-2023-6478 Date: Tue, 27 Jan 2026 14:01:04 +0100 Message-ID: <20260127130116.1902238-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123944 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478 Pick the backported version of the commit referenced by the NVD report. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2023-6478.patch | 65 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch new file mode 100644 index 0000000000..765e83e196 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch @@ -0,0 +1,65 @@ +From a0952cc293c0fbda15e7519b1af9c1c2d3d9475f Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 27 Nov 2023 16:27:49 +1000 +Subject: [PATCH] randr: avoid integer truncation in length check of + ProcRRChange*Property + +From: Peter Hutterer + +Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty. +See also xserver@8f454b79 where this same bug was fixed for the core +protocol and XI. + +This fixes an OOB read and the resulting information disclosure. + +Length calculation for the request was clipped to a 32-bit integer. With +the correct stuff->nUnits value the expected request size was +truncated, passing the REQUEST_FIXED_SIZE check. + +The server then proceeded with reading at least stuff->num_items bytes +(depending on stuff->format) from the request and stuffing whatever it +finds into the property. In the process it would also allocate at least +stuff->nUnits bytes, i.e. 4GB. + +CVE-2023-6478, ZDI-CAN-22561 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 14f480010a93ff962fef66a16412fafff81ad632) +(cherry picked from commit 58e83c683950ac9e253ab05dd7a13a8368b70a3c) + +CVE: CVE-2023-6478 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c] +Signed-off-by: Gyorgy Sarvari +--- + randr/rrproperty.c | 2 +- + randr/rrproviderproperty.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c..1fb89e67e 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq); +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index b79c17f9b..90c5a9a93 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client) + char format, mode; + unsigned long len; + int sizeInBytes; +- int totalSize; ++ uint64_t totalSize; + int err; + + REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq); diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 7af347d858..a8eb397ba8 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ file://CVE-2023-6377.patch;patchdir=${XORG_S} \ + file://CVE-2023-6478.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79846 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86B27D2F017 for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10168.1769518884498794642 for ; Tue, 27 Jan 2026 05:01:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EsmFhCEv; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-432d2c7a8b9so5474061f8f.2 for ; Tue, 27 Jan 2026 05:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518883; x=1770123683; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=afEPEazk4OPl7JOCVW4iMaOQxyZlABQ+qgN+RExz8dI=; b=EsmFhCEvTKwrXJF22GYf5KU+LRPxLm+yjaY38uhay4lwJSJ3DzwjMuTdQbgwMypOv/ 4d1GgB2asH0oLNmQIuQx4acDxjrsJbTSuAPVXIw0EW4cO1KUbw3hYw5y/8PLWy7f3amK 1s9VA0sqThGm7FTf2sJJ535r/seL89zUn8x9EjdIolob8FR1J2QB0EXHBCqO2I8Z7SbR TlWkMWvU/9P9q+cKvPbRrHH4mMNrl1mQISZDUveqcEx5CK9iY3GQRygYYWgQTGjsVLE4 BcOLwPnm8IDkmEiLSK+swMZGfG2HvdwYHa7/ugVF9u/nXp1fh8x8ZdR/N55cFdUCbXY3 qbig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518883; x=1770123683; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=afEPEazk4OPl7JOCVW4iMaOQxyZlABQ+qgN+RExz8dI=; b=iUyEuEitehiPcYtERrlLKjywDmTZDq9j9T5h0/tHmRiWS22EQ2uAG5vFL7VnNRbUn7 xyuD+loau6D6rowhhTNUwjkJ/G6oq5QQZsU3GnHLJZoPqRWNNZaUB/v5pPkGgxbFt1HR PVozo+5NsvldIwWRGIXkNTMOBA85Nx+QaGe6auh0sMG+UNA2dhPIdm7RejpcpZaQKPwq XsSH6uFPGKtZgjH1Hk0x4ZnankQ75v5T3HbezqZxHGjVfkVJFWOwc7mb4EZJk1mnKLp7 ukLCfopibJPcwUKse1YGDdE2EPaV66ruLq2emeK/zQx2NL8Pp9TXkTBHS3/LSTFOZIP3 Pv3A== X-Gm-Message-State: AOJu0Yza18jRXgSaohFb3FlOUSfnb8xK2kWt6PhHhomHoU+2TZQHUzyL yyf9JH2DoF5sxZdnyGasqIfDtnltHMeKW9K9egRvgn1XSs8prtdQrHSRYCpyPA== X-Gm-Gg: AZuq6aKQ5z59IolkthquY+W2pAvUSaqt20wp8ju6q/zFFdpl3U0b5Ylbl59rnavOuqY h0FFhbfZ0PWvSCjndP9TjhHFwEbY0sTD+FsO61YlT+8bl1DiqSxKSKthkg/Av7YDEksDsLHbnBu 8rpd9UYg5tYATkxjfC7FMe8qwhBHOIcXQ0XbWM37aMZwYO6g6iQllwnNwlVy3wvoF/JHB+F6HQq yxNP8+QfFp3xWe+bZWczd6mTcH0M304FWoGKBWbVU1h9NA1LC78m4TtKeMS3m7xDzQU/MB/S+rz IAmFm2qqUrRbdPhYdOCSwk8I3g+tHGPjnJJSF8fmn5XHwvrl/mO4xlapkwq9NlqppgY8uX75DMe Lenu+4TzYRyf57wQ7v1JyOqy3jcroFhqNfjQ8B2KmyjW2MLhw2dxO7nQHxT57UFzchScio7sA3A 9/ZCx95CQO X-Received: by 2002:a05:6000:2081:b0:435:953e:589c with SMTP id ffacd0b85a97d-435dd0b2a29mr2410034f8f.34.1769518882610; Tue, 27 Jan 2026 05:01:22 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:22 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 05/14] tigervnc: patch CVE-2024-0408 Date: Tue, 27 Jan 2026 14:01:05 +0100 Message-ID: <20260127130116.1902238-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123945 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0408 Pick the patch that explicitly mentions this vulnerability ID in it's commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2024-0408.patch | 65 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch new file mode 100644 index 0000000000..ffbc7448c3 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch @@ -0,0 +1,65 @@ +From b4ef18cf118aa92266665009fa3edf9c03253d8a Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH] glx: Call XACE hooks on the GLX buffer + +From: Olivier Fourdan + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3) +(cherry picked from commit 8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2) + +CVE: CVE-2024-0408 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8d825f72da71d6c38cbb02cf2ee2dd9e0e0f50f2] +Signed-off-by: Gyorgy Sarvari +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index c82ce2c78..f493252cb 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1379,6 +1380,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index a8eb397ba8..4613d34833 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ file://CVE-2023-6377.patch;patchdir=${XORG_S} \ file://CVE-2023-6478.patch;patchdir=${XORG_S} \ + file://CVE-2024-0408.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79851 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACE55D2F017 for ; Tue, 27 Jan 2026 13:01:39 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10172.1769518889564106224 for ; Tue, 27 Jan 2026 05:01:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=l2+7jkdc; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4327555464cso3950319f8f.1 for ; Tue, 27 Jan 2026 05:01:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518888; x=1770123688; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GKz12MR3SSKomlk/ukjSs/08GhxKOjNpAf+TcPE6OrI=; b=l2+7jkdc0oEe+J4o92Rzly5Gnldk10Y2UCf9cvG0960j7b1nPg0sSOXkgrWT2C3nPA rdG5Te+hvzl54VlXH5eAMWVcfEBJ2skuk8bOLZilnTMyxD4HmQj85FqmesJYcqtRH7Xb cniPdaCRzQd+GSZK0CAT7PWGss63xfY+jJA5aMHdJrtW2tMrIJLtYuIS1DmpHixsxkdI GUbyd6TJQdI8KBA4CK6kGZf4OVxYgGprl0d+A0CrOxh5N8Tqth/RNybaJAVfmZFHKUgv zltcmN0sH5TsyQ1tLr7Un/1YuDNpQx+V13k94otteYPBGAGVfNiqvnf/ZceXT8OgNare BN1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518888; x=1770123688; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GKz12MR3SSKomlk/ukjSs/08GhxKOjNpAf+TcPE6OrI=; b=uytg+NS7qfnnccSzwIdJPePXbGgfG9d0kcsKAc5+CG10hRoaftbIgRMScNjzNeHnbx tXXegsMtD2EO8ScoV1qv2gnrWttFVG8bTEfKIkXhwr5IzW/FURdlahIbBfh3YKPmMP41 eOoYTEdAaq9AP+9Jvs/yj3TJnsHrCcGn8SYQG+7MHinoXYOcOb4bYrFLnPPUSN5ItiC0 CQgl7O8HNdkULD2zS/qmI5SVOg3/BxY86AX11+mFtOgdICEtnJbG7mTjftL2hbT4aJA8 SPd1mHWQWAz0Wfqx+74OERnI18OEMh2gldS+PteQqJfDumzCy8VJeGn4099jhOFr/2Bm 4SFw== X-Gm-Message-State: AOJu0Yyk9itleD449edcAe0TIhskHadIYe+TSX9CdyESsvH+29xLqqk5 E2PvLk4hYk+6c2Dsr+dVwiaLLoh7DgA+/n04IBKvLQQ0k0YQFt7BP8wuyme78g== X-Gm-Gg: AZuq6aKwaKT6gr9SY6SeEToTF8DorKZotbgBpbnaxf2M4NY9ASfPZx4M0xA1OU9cs5e qPiYu07zfjNFhQ0k7W4nn+PFSI01xj9YyYQEWIkAeUGLnLhRmXBJNGOvTDFRl9v5msoZLMsfJnW FSiFzuDSChcxx7N/9On98ZyQWd4CiAFfp3MORY2xITAJvqHSbKvVFENAIm5V8aVonlXjGm9SxV6 UQPNs1bsPq17I2a829RvQNGZ4YnweKOzX8p7DXehV7S+ALfUHMctecT++CMzZuGDjXvmW6PVFMb Hp+mdKak0HiGvAUDc3K9K1//IvJl+gBE4XDfrlM4D4AAbg+W6avJ5uC//0d/AiAGBKGxK5OdLqe 27hz9sB5XF6EqFz6SoInLvHR5SetnObHrlTv6+AAm0LZ3qiHTWU1yiKn8IjdCqH6gHY0Ah244LW gIml6XBMfE X-Received: by 2002:a05:6000:220e:b0:435:a258:76e with SMTP id ffacd0b85a97d-435dd1cec1cmr2442235f8f.60.1769518883384; Tue, 27 Jan 2026 05:01:23 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:22 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 06/14] tigervnc: patch CVE-2024-0409 Date: Tue, 27 Jan 2026 14:01:06 +0100 Message-ID: <20260127130116.1902238-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123950 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-0409 Pick the patch that explicitly refers to this CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2024-0409.patch | 47 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch new file mode 100644 index 0000000000..32aba8f80e --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch @@ -0,0 +1,47 @@ +From 7018d3738102529f23904d62d7187430d2d2a281 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor + +From: Olivier Fourdan + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7) +(cherry picked from commit a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e) + +CVE: CVE-2024-0409 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/a4f0e9466f3bc7073a8f0c28a581211c2d7adf0e] +Signed-off-by: Gyorgy Sarvari +--- + hw/kdrive/ephyr/ephyrcursor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c +index f991899c5..3f192d034 100644 +--- a/hw/kdrive/ephyr/ephyrcursor.c ++++ b/hw/kdrive/ephyr/ephyrcursor.c +@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { + Bool + ephyrCursorInit(ScreenPtr screen) + { +- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, ++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, + sizeof(ephyrCursorRec))) + return FALSE; + diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 4613d34833..a007297012 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -24,6 +24,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2023-6377.patch;patchdir=${XORG_S} \ file://CVE-2023-6478.patch;patchdir=${XORG_S} \ file://CVE-2024-0408.patch;patchdir=${XORG_S} \ + file://CVE-2024-0409.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79843 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9412AD2F01B for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10487.1769518886160043981 for ; Tue, 27 Jan 2026 05:01:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bdcH7pqv; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-4359019da8cso4754789f8f.1 for ; Tue, 27 Jan 2026 05:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518884; x=1770123684; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JgXfILT9en1oA6jBpED9aNryalCKnlbX2HStLWag43I=; b=bdcH7pqvJ1L8D7Uc2VX3d8PwEe0aFfMPjcARTaMMhPPcxGsAydR46cph4fOJ/LMzIe ptis1D6sHtstZCBtPq3w8DfS6wXLBshdYeQY2/LNdun/JzkW/T0HxAI+7GHqKyMLj7Rq 9Ye3l0N8ah+HVj3RlXsFLtNkYsPRUySDvRo+Ie9D5f8dM7sBjeJTZtnB4IIIj3NJ1sSs H2OwlRQwp9SSXkTOh93BIpEUR89GhROgddVTpYXk6m5uL5oUbqPeAqMK2jpSsT6vUx08 6lo0hiEFDGJxl/vS1aoH6j+g29ULdsWV4EJSmEG3TXCUyQ1Rc+3GNQ1RzKZ99dUDq+w8 fVvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518884; x=1770123684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JgXfILT9en1oA6jBpED9aNryalCKnlbX2HStLWag43I=; b=qAa16VSHTfvaQnSrMFIj04zFTAt/+9wc+hK8tgoGV5W1oxfBUDX6DZ1EZY2oT3VVGc ymoOSAWpT8DzceA9uOUS+5wLfD3/p40E4Bv9Gr2VFPFadJiamgGvKjeA28dJgF9DkPaS uQgj+Fq0nRGJx1VBlrqJ6UGr0H41NTZI1cpjtjDP7tRyWxQZ3Uk5IwZ7MDZQJ5xLRj+0 0hJmQGhLyh8FOeBXBWH48KzLV/kH5DUzSH4l1RsqqQBqfAkI4FM3zf6pZKjLBPY6cwsJ XMd9HBUHxsoxXirnWxAfAZbRFEO56/PX6SW5YIXOKFce4TiB2f23Lr3mAo86insvvhT/ Qxdw== X-Gm-Message-State: AOJu0YzMwER2wPcvDufSWzepnXMSyratBmUIrWb1ZvTryGt2va/4qK6N l6hsawh3wPKuVkiBkuMVetU8B4fOCBmxgMd/Lvm1HZ8XfRh4jZfTuoJiXs4uRg== X-Gm-Gg: AZuq6aLprICDFx9hZvTHxfwrOP37dr8jcVyUEMyXX6f4gkiYvR3wrY4mcPeMu4WhB03 EIWIHOi8Zzr404JXDX6qzahbxLi0RRXjT9LxnViTqWjr4gYh6QFU7dzZbgl9HN4Z/m5BctAv+uP 3sjTp9CcWdCFSXfbDRohwSuevGmspvlCAzD/kjW3GiHKNxTOoPvAeDvfV45Q2ZjMJXQ+97n0K38 X/yy7vIBHRNftNMDwJYEYeVR0uQ3sZk3YY+wSM92EG3bQYKspRdCQUuF7Ny+vSu1WtZtDuikmi+ VHXC9FznYWrtTASGm+/XXsAfEkh0F+aYnG8x/ukPr0l8NkEJkIjI6n/5Z+7ztHED0tLlxBfWhu1 VTLtWXLuw9keuenip1Wp6td8U4Trip9W8W1JSGF6KU/vuTuLnYF3TMKq0Z8oUXQs+QC5hK1ncqK eB9sjrqlJZ X-Received: by 2002:a05:6000:268a:b0:435:add0:3d68 with SMTP id ffacd0b85a97d-435dd1cf0aamr2486379f8f.58.1769518884397; Tue, 27 Jan 2026 05:01:24 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:23 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 07/14] tigervnc: patch CVE-2025-26594 Date: Tue, 27 Jan 2026 14:01:07 +0100 Message-ID: <20260127130116.1902238-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123946 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26594 Pick the patch that explicitly references this vulnerability ID in it message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26594-1.patch | 60 +++++++++++++++++++ .../tigervnc/files/CVE-2025-26594-2.patch | 53 ++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 2 + 3 files changed, 115 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-1.patch create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-2.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-1.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..e6786f4352 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-1.patch @@ -0,0 +1,60 @@ +From c5e22fddb236d0b5e452d9d535c51213d5231286 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH 1/2] Cursor: Refuse to free the root cursor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Fourdan + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Dänzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +(cherry picked from commit 01642f263f12becf803b19be4db95a4a83f94acc) + +Part-of: +(cherry picked from commit 9e5ac777d0dfa9d4d78dd68558869489117c3f2c) + +CVE: CVE-2025-26594 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e5ac777d0dfa9d4d78dd68558869489117c3f2c] + +Signed-off-by: Gyorgy Sarvari +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index a33bfaa9e..9654c207e 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-2.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..7710d8c286 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-2.patch @@ -0,0 +1,53 @@ +From d6e2579da9987095b3909d8b2b239e7802cf1c2a Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH 2/2] dix: keep a ref to the rootCursor + +From: Peter Hutterer + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +(cherry picked from commit b0a09ba6020147961acc62d9c73d807b4cccd9f7) + +Part-of: +(cherry picked from commit 5f0c4e0bf254c8b4552da276d01b1b80881b4e26) + +CVE: CVE-2025-26594 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/5f0c4e0bf254c8b4552da276d01b1b80881b4e26] +Signed-off-by: Gyorgy Sarvari +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index b228d9c28..f2606d3d6 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[]) + defaultCursorFont); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index a007297012..3e657ea6a8 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -25,6 +25,8 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2023-6478.patch;patchdir=${XORG_S} \ file://CVE-2024-0408.patch;patchdir=${XORG_S} \ file://CVE-2024-0409.patch;patchdir=${XORG_S} \ + file://CVE-2025-26594-1.patch;patchdir=${XORG_S} \ + file://CVE-2025-26594-2.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79849 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B29F7D2F021 for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10170.1769518887016116780 for ; Tue, 27 Jan 2026 05:01:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=juc3owpy; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-42fb5810d39so3653302f8f.2 for ; Tue, 27 Jan 2026 05:01:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518885; x=1770123685; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MYsU2ihroZVRnzukuO5CmsLolbe0AKTcpgf90auFZx0=; b=juc3owpyVAdbJSdz6ithxxpXx/EzO8ZF4rO78U4QGy4TT1AUGHiWhfR4D6rCJO7fJt DQeZcRKqnC9q2QyIzRgaE3mLAOI9m7lvJ56QJUMcwZHnibbutaZl2/ztDUd+OieCxqwE Uxnn2HkQ3OgFj3/SayKyVz0NiLykymlyhZ4jTv0/0tmeByRcYn11E6R2a0mVDFAyTzF3 4xE4ZVeQd+hcIFw+5/Kp2pSOHvjkgJbgG1ANKrgfKpOR5ovx5NPmDeus7mv3g3IlLkyK nAgFirX1xqGtYNFGXXYmUXHoG00/8I5giWddNHv9pYfsrT726a9fx1TyZXY3H4+thkrz YSzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518885; x=1770123685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MYsU2ihroZVRnzukuO5CmsLolbe0AKTcpgf90auFZx0=; b=FiqRD7Y3r9zQozNHhtOv4P1sZr1d98DzXvNzlE+yuXwsrRGWQrl/HLBIMc1Fqu6pWn zoNSgAjRJNXa6SaWLri3kik7L+Yw+be3oNcFZOklnyHN5jv1X/X1AhbRNafxnxySaIM8 avZwP626Iin2iulcEKhf3hCxc2wNl/bVdrHrRZPzPfALiPjOu53WMw3wkyfbvQ2msx81 4bf1v3KPQdADGjJkBs8ADHsopaDfVFd7/Ya9rA/L9ufi+/JBIB0t+8i9/yTvm3SiiNdr AVx6lA7zOLTR99403cKhWIoLyq5I43un0H9/2h1XDAcCNRE6EBGkEveQTMzLGrNIUkc7 0Z4A== X-Gm-Message-State: AOJu0YyFqV1AxNqP+yWTgZa1AoABbqb/K0rH/C4WPYyJoyOxK1hnOJ5y qG5j7+vkHnCPp4lOV5dINe4xAcMtLFletKe/icDtoqKDlCqttDqnUPQBE1k6+A== X-Gm-Gg: AZuq6aJMi6nfyVuoZ/Z3SW24eqtLSJW9pRjY9zwQZcvOAd+x1xwAomLMxBnGTRI2q0C s97V7rUMYO8ui80UC9r2G3mG0hyMLNIT4qPAVXQ8jq76ROFITQQrNTnN5UELTbuDBeMZdO+LRwg d0Gy9IedFNQG4WS/nr63hV4qYMzn415Yo277VYSQXLSijAsXdzCWt/BfuR9TO/8O1PzPUito00V heL55X9z1fECJ5rmqsoFGiyJHO/TvJe9nRVRXO9jmYSYK8dMoTtntaLizEzXv6oFZYGpVd78J9+ +LDeAX/nt3VJfETjEvZ6DR1hu1jMlHpFC0PG6TmzNbFb7ZQcvOf6CwpYMYeGL9hTJes3Nt9/lyz Ns+gjhaRvt17ojB4oK4RDtWwYeGwrQjPho0lKQcM3KMRTv7Tt92Jp6tPgXdDNwD/ikUorpIuFcl 5R91mI+ONG X-Received: by 2002:a05:6000:26c6:b0:432:5bf9:cf15 with SMTP id ffacd0b85a97d-435dd051223mr2966691f8f.5.1769518885201; Tue, 27 Jan 2026 05:01:25 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:24 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 08/14] tigervnc: patch CVE-2025-26595 Date: Tue, 27 Jan 2026 14:01:08 +0100 Message-ID: <20260127130116.1902238-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123947 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26595 Pick the patch that explicitly references the CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26595.patch | 67 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26595.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26595.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26595.patch new file mode 100644 index 0000000000..b21689ff3c --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26595.patch @@ -0,0 +1,67 @@ +From e50f21138e458bde06469502d196780eb07fc689 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +From: Olivier Fourdan + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 11fcda8753e994e15eb915d28cf487660ec8e722) + +Part-of: +(cherry picked from commit ea526ccb20d222196494b2adf9da52dab68a8997) + +CVE: CVE-2025-26595 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ea526ccb20d222196494b2adf9da52dab68a8997] +Signed-off-by: Gyorgy Sarvari +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index d2a2567fc..002626450 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 3e657ea6a8..1b6b965fc7 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -27,6 +27,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2024-0409.patch;patchdir=${XORG_S} \ file://CVE-2025-26594-1.patch;patchdir=${XORG_S} \ file://CVE-2025-26594-2.patch;patchdir=${XORG_S} \ + file://CVE-2025-26595.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79850 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7FF4D2F024 for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10488.1769518887919071499 for ; Tue, 27 Jan 2026 05:01:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FKhArpbE; spf=pass (domain: gmail.com, ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-4359a302794so3530474f8f.1 for ; Tue, 27 Jan 2026 05:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518886; x=1770123686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y77fuELwynhYl1jUHnTdqJUwEpcpdB/u+hfmTdvigCk=; b=FKhArpbE5MubUnE+sz0bpOT1gwC3hLi8TCXR4VVetRAtaslUwV1EJ+CF+iczzMmoR7 sCHBMa4/PbZZFOioJyqWedn1JIytHHVYJpw7KLdDW/c+TdlY4V+WV0oV98oqv843uWgH xbtIrgRKNW3RMpzah30ndPku+meUhr1qBJUloRmN8Lp3Oioio4BVWjpZcPJ1Lw3n/+1F ALay9SXIBkcak1hDG6j6I9mQ3Au6izf7DLeHcWEnT8GeH8yXDoGRSbvTr1jRJg7ddvmx OyrvP0D4yUxM+XC1uaLWvvZ6bz7p9bO8zZtWjlR9+CAvazLBuLP/Jx4pr6cFbBDDI5BZ 42Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518886; x=1770123686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=y77fuELwynhYl1jUHnTdqJUwEpcpdB/u+hfmTdvigCk=; b=DMbqg7JxvS3mVGENFWlXsB8c4CfTjqTgF+GIQT8gG4n0quyJhKldvQtyGK9L7lW4fj 4nbS70V0orTegtptnt6t192XWnczsumwjyVfMGWEawlRE9X6ROcdLyQhNYr3FpmUbqZY 9ylJtoWdYYXcqnW7QqnY6uq9hyd+8DAfpbbqxoYT4O22Ka6Bg8SUJdxe9puxM+e/LOQH tZX73Y9tH4tZnzY6jVfayLN88KfwyMWtfnorTKoauEiEwBxZlAD0mZSwdGPw3Ut2nb2j VEBO+zCh26RylzAd+BIer0ppDUlzNJ4+0sJLPbo8W1nOsuNnfbdoiuVcbBpiuHQmpALu Vllg== X-Gm-Message-State: AOJu0YzbVVKDsDM3p2yJmLWI92Lg+wK63GElyn88AdL8yVyRvQVT8Jjj YQZa4uU97MklujZlnxl77BCNw17P8C+lLzQdahbTQ1gHn3+d7Zo5tk51zPbc5Q== X-Gm-Gg: AZuq6aIVeQSsy+RLwTn+aO7hT0N7UsJ4gm1OwtErpMa+usNsd6ouT9grOrG2NfEyoPB fuzK3/au+d8MYtjS8sGefbeNRZt3ToueS4htFtatWWuTD5jk0h475Qt5CPW98GkIotx0HhhEjY3 0GHQr99X95N/1+rTvG2v1Ke3Cj23+YxORS8iXvfah6FzGYWlNTxhNzzrdCkkXfXQ9KAbVCdKTUZ ngtM1ctaADtFAnXZqLw+F2/mHczfH3iH1sb5puGefsQbmKw3l8iNw43isOUfJjJiJp5Qd2feSZp buolKpEUZfqra+Tm5pS/A42Y7pdIYtvA4GUWayW6znwEctGHhbd2MP2WpvhyUegEdY180Hums9q AbdYCDIM51qzZB+4osQd/UFv4E2KqW7A6EQyj+UsZBSJcbpGXFRSjFsMhhMEDv7S16ZphFtVhpf cqNSgnyKf1 X-Received: by 2002:a05:6000:22c9:b0:435:a9ad:d21a with SMTP id ffacd0b85a97d-435dd0b6a13mr2666726f8f.40.1769518886133; Tue, 27 Jan 2026 05:01:26 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:25 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 09/14] tigervnc: patch CVE-2025-26596 Date: Tue, 27 Jan 2026 14:01:09 +0100 Message-ID: <20260127130116.1902238-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123948 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26596 Pick the patch that mentions the CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26596.patch | 51 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26596.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26596.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26596.patch new file mode 100644 index 0000000000..af7be3c664 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26596.patch @@ -0,0 +1,51 @@ +From 2bc545d09abfe1e91cc15990232649ab8ce5c8b3 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +From: Olivier Fourdan + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 80d69f01423fc065c950e1ff4e8ddf9f675df773) + +Part-of: +(cherry picked from commit b4293650b50efe7832cf9eac71217ad8d6341e02) + +CVE: CVE-2025-26596 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b4293650b50efe7832cf9eac71217ad8d6341e02] +Signed-off-by: Gyorgy Sarvari +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 68c59df02..175a81bf7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1093,10 +1093,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 1b6b965fc7..e97f82f6e7 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -28,6 +28,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26594-1.patch;patchdir=${XORG_S} \ file://CVE-2025-26594-2.patch;patchdir=${XORG_S} \ file://CVE-2025-26595.patch;patchdir=${XORG_S} \ + file://CVE-2025-26596.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79847 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8CF1D2F01E for ; Tue, 27 Jan 2026 13:01:29 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10171.1769518888791865434 for ; Tue, 27 Jan 2026 05:01:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=h6YWEJld; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-43246af170aso3286744f8f.0 for ; Tue, 27 Jan 2026 05:01:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518887; x=1770123687; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RTvkZrOVKH5r5YnMKGZsXCRnC/MuHEEKAUTbV8Xxg4c=; b=h6YWEJldQU28nkq504IAtZbtxIJJ3T3Vn3j39+NqOsS/euxKSKjzZ5At0mcX7hlmd/ TkHTr+UxDmquRt+rbUgvd3NI/90m9oF6YRT8LKf0shrSnRiExcuMQGIn2qeychTbg7oU l7C4GHNz/jpfjG8EM293W6ZZcCeC6hTwpQHlPH8j5UnZZvmUeMKU3116tbXKswS1SLvV NflpyyKKwz01IhRZVIRE/BgHckTZlxvOZZ7L6cMwwR5I8mn6cnqISZjD1N75ODxycd4X DuxNHmqWusSR46rf7h0bZeQdGsCud6a+s23Jfy2QxAyfDnTHqODnLbHLp0Fu7N8ivHfF mchA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518887; x=1770123687; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=RTvkZrOVKH5r5YnMKGZsXCRnC/MuHEEKAUTbV8Xxg4c=; b=Cd1LAm6Ce00/4VoP9zvEhNMNCgi3woaw2aK6S2XtyM6yiPp/XCV6xHDKFjatqpVlcN 3XFlwzy4oG6bm3b4ZkcAXHXMOdHIwZNUptgLFfPdFj1yOAkxvgkos0JEwngfZX1aY1MB C6kR9JX/jM8YiUgEtB1AdzxN/5CPu/4qpiKcusjFNvvUDs2cEflI7OU6tSTrqqIb9jXf 3AHI4xLUwL2xDSnHhVpiB4kiil5LXBqPQHq52EztjvBNk6x1e6hLBwOuEmPDjvP21GQ3 usioxenbcY9TJ31+uJNH4gedgp02PEOZOvPsHy5mgLSdMLJ1WEkkXrDtdSL7eUGXW8e9 BupA== X-Gm-Message-State: AOJu0YwQxPF4Q6Y8pcAOWrPzp2IafX6Ylhaw4M0oa3ezbTCXbGES143o jXCMzcE1fPiA4BXdtg87VAPwGP5/bazCKBtPLCQFj4tcEOr2bEyXfXEyYpGJwg== X-Gm-Gg: AZuq6aIW5DYFeFWoDv+t9AJx70osJE1MYWZOaNJTHGaQ6WYAdNo+MNt7CojRTUvFogE +dXTCP7eVME1iKF/ExfluoGMfLlGiBnZykf1iK9cdFEVhcGAGcceVdzc1TnLKw63myf+pEDcBUJ cME8YVMmcLjLc7It6x1dJt4RaLZOrUFqsvSOxoyAAZmDNnLZQogmXrUqH74Xpf5fpJxyfRNrxtl nko9NcPuVS8aK8Rh9Lr2UcOhqugta9YyIRRtIXtkWDRz3YOz4biwH5dtmnOf1vbgpd9A0EaKkYG 8ctn0gHesExEJsj4lrRHCk+is9Sh+u1xe7F/oN4TSRTI9zAFBZY9dY81+cZBS7bs/E+74Gc1Kyh DzQZosdaX/ObXmg3VaEkz4e+qs6C+XjehkhltbLb6Cm2VUTwA2yo4ZbirGqXNwWrm7h3iyHBByu aSpZAgn7z++jtXc0aFRrI= X-Received: by 2002:a05:6000:2081:b0:431:771:a50c with SMTP id ffacd0b85a97d-435dd0a7a80mr2396654f8f.1.1769518887030; Tue, 27 Jan 2026 05:01:27 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:26 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 10/14] tigervnc: patch CVE-2025-26597 Date: Tue, 27 Jan 2026 14:01:10 +0100 Message-ID: <20260127130116.1902238-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123949 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26597 Pick the patch that explicitly mentions this CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26597.patch | 48 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26597.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26597.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26597.patch new file mode 100644 index 0000000000..814d58adda --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26597.patch @@ -0,0 +1,48 @@ +From ba8a4f0af806a1d078037f23c051253e9e2d7efb Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +From: Olivier Fourdan + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64) + +Part-of: +(cherry picked from commit 8cb23fac62e05d7340e320b2db0dd3e8538d1fba) + +CVE: CVE-2025-26597 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cb23fac62e05d7340e320b2db0dd3e8538d1fba] +Signed-off-by: Gyorgy Sarvari +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index f17194528..c45471686 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index e97f82f6e7..caa44ea0d6 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -29,6 +29,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26594-2.patch;patchdir=${XORG_S} \ file://CVE-2025-26595.patch;patchdir=${XORG_S} \ file://CVE-2025-26596.patch;patchdir=${XORG_S} \ + file://CVE-2025-26597.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79853 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF5B6D2F01C for ; Tue, 27 Jan 2026 13:01:39 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10173.1769518889716824159 for ; Tue, 27 Jan 2026 05:01:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lQIlNjAz; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-432da746749so3106439f8f.0 for ; Tue, 27 Jan 2026 05:01:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518888; x=1770123688; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XYSu8cr1esCLecs7TfsIcvug1clTj9kz0Y64eAAC0G4=; b=lQIlNjAz09htb+R/eUb1F2hA6+/XC8Hl29UGOkRl55UQensZ2UIU4LVOvLa8ElqiSv x+SDFa0+XfUL+luwhOIRBpB/BfyuN+aDluKlnGpe02HYIm8BaAydissgT8+gZmydxxrD vaTMNETMkK0KhS9E8hPOfb9CP0HsWaY3wxr3PVsl94JwWpwYosd6BHkG9eJD6+6K2sSl SXeevWJkHeJSyAbGmEc20NAm77/xHsOMqoQbq2TUqyRAe8ONTRWpTYI3v58wM8wtAN41 R8GH8wmr1p13TOsR09k3kMOj/B3Mj3N640xR9y7NgBLGyqbGU+Vm8t+rLQBCrFJKfTcx 87ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518888; x=1770123688; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=XYSu8cr1esCLecs7TfsIcvug1clTj9kz0Y64eAAC0G4=; b=DxeglHDFg0UErl3Ma6Xgcu9VGOvi/2OUToS4nAkzMmL7V3sLYd0vMgsPm0iD60EIWg 7NSA+sx86L9efhIQlVetDK7askrhpZtT4l5WUcuRqeUmCZgFXTAWchUleNdiOyhjQAY0 sOSyyWtlPKvqC/YQ+gN/X6wZYgrHp9SRcG1bdNXb7EnudgS4hw4FEGgmFjgbNDjis0Rr m2KY5b3nJY6gZvOtb0JenspHrfof0dwoLa+2yiCB6iTsmZ9K7VEKKyCptkE9+eYfKMYL hvfepqZqzlKs9RRuHJWD0R3XGy4cDuJPoRIQ+p51TD+m+uvMLrApg7NOR2qk+vLNQJWu O0Vg== X-Gm-Message-State: AOJu0YxKVslT/NvPw81+eQmRja98Ip5y4gkHBh05OeyUKgo5yoyWk+Al ZML3gK1uJ1fkkgoFcIAhGhfuiBPMp6Sl0QRK+0M45Vw3tQah8VTqbYFzx1S2aA== X-Gm-Gg: AZuq6aLjEHP/FjQTI4O+QjcRL6ODk5jVn9VVrR75L02F2dr8cRad6u7fn95H/nWozzJ desvj+IZTRcDZOoUqSYfNSaztKuYJBJa9/2YvGuShjG9MlFRlqFBA+QHqkbwUTfXKk8RpkMSpAk jqP5447f7jdKjvRvpOjl6c/Ou3vVN830ux4BNz45D7rx/1j7JNB/QJg12UYu8efsuK7mg0hypAd KlxrOvZpeFpOvM8FJny49ASXTdSZN6G0eYq44trZ6ZlRrz7qaMdNgIDBRODy3HCoTAMg3If8d/w wOtMnbsDavK0WU3zsZ4ajyK2klZcBDvkhgqiLW7Pke0lSz9HiegwoISFIOkEMVW6LP7A7PnwWYY 0ZZWN8/iNIXC+RsSHSsBX95M9TBYLuTTIqzfWoq3e6szznPiN8udy0Y/Ufv+DccjuDZF5dRk/oK L//EdJFPwz X-Received: by 2002:a05:6000:1786:b0:435:975d:33b0 with SMTP id ffacd0b85a97d-435dd0a39dfmr2480419f8f.35.1769518887902; Tue, 27 Jan 2026 05:01:27 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:27 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 11/14] tigervnc: patch CVE-2025-26598 Date: Tue, 27 Jan 2026 14:01:11 +0100 Message-ID: <20260127130116.1902238-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123951 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26598 Pick the patch that explicitly mentions the CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26598.patch | 122 ++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 123 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch new file mode 100644 index 0000000000..8ce3606fa5 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch @@ -0,0 +1,122 @@ +From ad498de18aab5d1095b2005a9555c003860b92bd Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +From: Olivier Fourdan + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2) + +Part-of: +(cherry picked from commit 32decb1efb89341881de8266f3dd1c3356981bfd) + +CVE: CVE-2025-26598 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/32decb1efb89341881de8266f3dd1c3356981bfd] +Signed-off-by: Gyorgy Sarvari +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 1926762ad..cb336f22b 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -738,6 +751,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index caa44ea0d6..5fbccd970d 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -30,6 +30,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26595.patch;patchdir=${XORG_S} \ file://CVE-2025-26596.patch;patchdir=${XORG_S} \ file://CVE-2025-26597.patch;patchdir=${XORG_S} \ + file://CVE-2025-26598.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79855 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C908ED2F024 for ; Tue, 27 Jan 2026 13:01:39 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10490.1769518890795740965 for ; Tue, 27 Jan 2026 05:01:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Zvhqo8Lv; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47ee9817a35so44093955e9.1 for ; Tue, 27 Jan 2026 05:01:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518889; x=1770123689; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zrsRI0+D3PurFZUVztZD93XG6TfRp0W2ehIEZjKD6pU=; b=Zvhqo8Lv+/rriMiN66kWSkOuFZ032Gqfte9IKlqAJH7GDhOvHfManR0FzhyhNETC/H T5JQmlkr9oSAUps1qLGUxmN8BU1xSqkUlmWS5pEy5BiPktEuANjNToQeLBzwivT2hD21 CDlm2VK+A/8u7N/eKZNhMU9b29mcMk5+usxgI4VGrL1k6j1+F/NKtjqh7g0UV44fGmd+ OQCXS7cnOz6SOc/SbBj/SNWHw0aeUjcrjmWPagAFbYCodaucd2TvcADv3sWPYC+R3Ikd C6e9ACavHqt6Lq0LtYUoL9fJn5S4kjBoCIC0QrNyM4H4psVu7btXvptbmOLCKaJnoPlV Q5aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518889; x=1770123689; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zrsRI0+D3PurFZUVztZD93XG6TfRp0W2ehIEZjKD6pU=; b=t7mKRO2sJZAaslz4Ax1nkNfKXyw4b4++pqhNfcsBOv3M5c+Ab1gYwjbTZdTLkMtTkg Ar4kV+JeORTWGk3AGJzOvWpezrMizq6mgRZokZLtyUTRfA6ez+p4vmzIgXSY6zr/gMG3 5cKLDNjE768H+0V0exdRGOWVQj24nPieXRFipOqyTeZL9aEihN6wdvDSB4yUtAgEqsvn 7Xo/JarBG72XoacdwLlJrXd/2CP9B7LZUgpn1gmPmxCj6bUIivBH+gM7ojHaOCcWWsdN 1BPADiUdhXDVX9vswpc4AWHKqgPgCSNqtvsdZjAwSBv4Zum6yJSl2/CeEVP6ExfAAJbu sBDA== X-Gm-Message-State: AOJu0YxgITtLCAggtbK3W8ydBUcQHBc7H8LoTMWrBZHLLbfCdCNZ5d/h h5OK1LyfSHTdKmwUEvqyyOaTmSjgEBZEhwdyusAwLmtDXeZSi9p+Xpadsg9a3g== X-Gm-Gg: AZuq6aJWJa/vq3x2TM9r+LbX/5HkNR2xhlpb5pGbZ7mIPo2RdOH2hyFfnezBdZdvMFX rBFY/6xPd2UxXTPsT8asVN35klycvi/JhDnZky8FBgqXFpFXzQIr7fpSM78ZZ3NnTi59ajTTgzH vClnl3DkkWLk+spYIhCuTDJJoRvhfU4l9HgbUoXd4QHqQiFQ/nVoZnFK6XIsLX5OzhNDPfHGNcc xaE+/c9PnGzIlLLW4V5AL3L0TNfHxAlJ6RwFYqjYlIsgD4gcUt4rXfo5uttQux1NauVhxtXIMYf lTFT3dMp7VIDIb3FmjMRFUxZWEw7Qyg3uBuoMJLqfdXZ32FDRi1e8JkmLQ8bsfLmu1i7nTgO6u1 U+k38skmNiMrvUWLpZWLtWl9UZ6TDojEEbn9eci/69CCrCeOG51w3zIsr0uusdcfI7BPitRsuqH CeeVaxly0K X-Received: by 2002:a05:600c:1381:b0:47e:e076:c7a5 with SMTP id 5b1f17b1804b1-48069c25b95mr23844185e9.11.1769518888733; Tue, 27 Jan 2026 05:01:28 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:28 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 12/14] tigervnc: patch CVE-2025-26599 Date: Tue, 27 Jan 2026 14:01:12 +0100 Message-ID: <20260127130116.1902238-13-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123952 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26599 Pick the patches that explicitly mention this CVE ID in their commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26599-1.patch | 69 +++++++++ .../tigervnc/files/CVE-2025-26599-2.patch | 131 ++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 2 + 3 files changed, 202 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-1.patch create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-2.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-1.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..a56b824557 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-1.patch @@ -0,0 +1,69 @@ +From fe2822b8cf7fa104187838380419c6b2c300b24a Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH 1/2] composite: Handle failure to redirect in + compRedirectWindow() + +From: Olivier Fourdan + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +(cherry picked from commit c1ff84bef2569b4ba4be59323cf575d1798ba9be) + +Part-of: +(cherry picked from commit 7169628a1715f8203665f9805c714ed111907914) + +CVE: CVE-2025-26599 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/7169628a1715f8203665f9805c714ed111907914] +Signed-off-by: Gyorgy Sarvari +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 3e2f14fb0..55a1b725a 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-2.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..f8d34ab796 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-2.patch @@ -0,0 +1,131 @@ +From 179c3cccc8cebf5e1d365d14ef9717664937eb5c Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH 2/2] composite: initialize border clip even when pixmap alloc + fails + +From: Olivier Fourdan + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +(cherry picked from commit b07192a8bedb90b039dc0f70ae69daf047ff9598) + +Part-of: +(cherry picked from commit d09125fbb3b997ed77b7f008f8bd30328ba69fbb) + +CVE: CVE-2025-26599 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d09125fbb3b997ed77b7f008f8bd30328ba69fbb] +Signed-off-by: Gyorgy Sarvari +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 55a1b725a..d1c205ca0 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -604,9 +604,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -620,14 +623,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 5fbccd970d..1a2b4df7af 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -31,6 +31,8 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26596.patch;patchdir=${XORG_S} \ file://CVE-2025-26597.patch;patchdir=${XORG_S} \ file://CVE-2025-26598.patch;patchdir=${XORG_S} \ + file://CVE-2025-26599-1.patch;patchdir=${XORG_S} \ + file://CVE-2025-26599-2.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79854 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAA5FD2F01F for ; Tue, 27 Jan 2026 13:01:39 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10174.1769518893714823051 for ; Tue, 27 Jan 2026 05:01:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Sb+UGt7F; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48069a48629so6088385e9.0 for ; Tue, 27 Jan 2026 05:01:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518892; x=1770123692; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=80MAugW1iisbs/8zr/sXuxh1n2iP5nHMxve2fw9gWnM=; b=Sb+UGt7Fbhtegchynsxsm6u9ZWe2MKFxvHrtNU7O7ItPimHn2KBWfjwWUfObjpwjbb 7P3ASP7Z6eo2tFVxyWL2jkm9sw2IYv5HiCFKk8Kkg/3J5hBUXHldtFQGjoin/aqRdLRU k4KDHBtSn/dTrc/bEDCcMXMgVaHoVLd5mkqlPpQ4xaw/p2+YNPEC9+oHfQG9I4lDx9pc Gd33BeyCxa4V8de9x6BYJK5aedXRR/j4YBbctpsd9yuvGaG9hzRbIHeRtPdGqW0xPHF/ aLHu4d5nE2sAbAtaPGopxoWE87X5S7O6T8sqRss+T6v4/pgzHWx57h4vvxA9P54lASMX f75g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518892; x=1770123692; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=80MAugW1iisbs/8zr/sXuxh1n2iP5nHMxve2fw9gWnM=; b=s0i4JzArgIktsRRoOgMCm3Hxj2e6Hwp2YpsCWUeAguPIFwHBhSEJcnVDRfWK2lSaHZ A1lbgs52jJwlfKZUNiO+vFhz/4BzZDGsRO+KWTb2SHiDpG/tfCA0RE2fpDdaWVA9E3xN oZkprBVmUssVICPXua5k9PdwfdAMwMJzVQqrKBnVv84AR/m+24qulntiGfU14PM4n6kK lC64qfqMN6GZQ4klM4TMeSrX098eocGOqdmVvG3MBpK6o84i/byNN/bFtuXGuC19u+pW l3rVJOV/j0SBT/MouvXdPTTyeOxZY0bBuCEbsp3vJYqyhQ3XtEFQPI5j5i5wNWjk5x9M VTjQ== X-Gm-Message-State: AOJu0Yz24gDV44daRQI7l3AIn4RKDnNUxP0tDP6GB+BXrb8bJc77kqTn d6VSLZVGWPXfUVhSu/k85rHdoAue24ybO/M+LxUsbrya3nnFlaIsx7UT4ERw5w== X-Gm-Gg: AZuq6aIjIBPUvcpjkisfxjMGGTrok213lFlhGaLOzWkZtnX09Vrya9BEA8X3t1/Q2Gr 8gv3vgqMQUNpXJJxJ0lJPEnBA3Z6oM8/aBwc26eVvMh+p3JzCGnDahhnORb9JkQkEwcuHn9Qt6l zB50gmqu7ajW63K8kEgkoEVe9Z0/o2siPJQCzD3adqOjpPZGmuuY7v9RnHizXGa7QfZJd7T/rAD 1Mk+fXcDyFTnxs9tn54Mqx0Qpu8uxZx+F/Smt2qqtnyTuwU7WxJrozlThWFzlNHXDnOqtIQ0U+c HkBVJgK79noIbqe5+NTC1mW5C0gbfcr+pHzfbalNR665oQ5AwARB6BdUVg7cwdll1zmmlVDkrhb TjpeUg1vauPaViophl+KaIiuUfh/Nmjr1NZeycOtFQF1ZhBmcTrvdVynHouMR3+buyxMS8b3oO9 JXwlMq3cWp X-Received: by 2002:a05:600c:83ca:b0:480:4b59:932e with SMTP id 5b1f17b1804b1-48069c1c2e2mr22153095e9.11.1769518889617; Tue, 27 Jan 2026 05:01:29 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:29 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 13/14] tigervnc: patch CVE-2025-26600 Date: Tue, 27 Jan 2026 14:01:13 +0100 Message-ID: <20260127130116.1902238-14-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123954 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26600 Pick the patch that explicitly mentions this CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26600.patch | 70 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 71 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch new file mode 100644 index 0000000000..39b297c705 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch @@ -0,0 +1,70 @@ +From 4776fc7f70250df69cd1000196d08ba2c5e57894 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +From: Olivier Fourdan + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14) + +Part-of: +(cherry picked from commit 826cef825fe49a275deb28e85b8c714b697f5efa) + +CVE: CVE-2025-26600 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/826cef825fe49a275deb28e85b8c714b697f5efa] +Signed-off-by: Gyorgy Sarvari +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 7776498f8..deac30908 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 1a2b4df7af..f8f53c4c91 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -33,6 +33,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26598.patch;patchdir=${XORG_S} \ file://CVE-2025-26599-1.patch;patchdir=${XORG_S} \ file://CVE-2025-26599-2.patch;patchdir=${XORG_S} \ + file://CVE-2025-26600.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core From patchwork Tue Jan 27 13:01:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79852 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1DEFD2F01B for ; Tue, 27 Jan 2026 13:01:39 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10492.1769518893043810735 for ; Tue, 27 Jan 2026 05:01:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jIH0ZDMY; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-432d2670932so5177310f8f.2 for ; Tue, 27 Jan 2026 05:01:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769518891; x=1770123691; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4ApeJWrwTBNQK9E7IMXT0hPS2Cl1WmGJ70dQ6DWpmCg=; b=jIH0ZDMYnCw6sD5cloqg1d44Kw98aEU+BTdmHcNEwpnMQuvClBJqK7NjljHWd+k+Ie KWwKGhRNcG7zVidVlPxUeom5H+SaJNeaAKicLlx8ovK2yVKGbjlYnEligZfmmn5nmgr4 jUpfTWhSEr7fSF6zbjZhcWWR7wbQbEtHljxnhCn4VPGKnZI2HaZL67uIU+Zfx45/c36T q2JRibFqt2lIyYfEKeGBVK9FiLaKMskPi2HTmUgtgXM5+0fdgsjjjYbuKwCQ0lpY2ZH7 ga3QW4jafYC7VBbq7863GO8Pq3ND0xB9tFTgDFGfjvuZanUh9wJCqqEUxjsCBtWNmu3P hsdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769518891; x=1770123691; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4ApeJWrwTBNQK9E7IMXT0hPS2Cl1WmGJ70dQ6DWpmCg=; b=pRCPv5h2feID9gI+EtCrDIeb8Ow8UzmPSIFvEACqnQovBh9+73WxlqQlOFrUM9FD3N QmOKIlBh8/IvVpXdqwByFF2tmhDJH25wuC7+psf4Su/UoxgWpTDpUaHTOkyO+QHne7zD /+6gMCHwLn6JXclx5SumLyjenGu2cfFqu5G9FFxv1vkcAutsDGWgbQk62ASpTkJbJagJ Y0Hb4XhTzufTqEIHhlmkIS95rxW1vDYN6Cid4nJQnio8UXGzUQBp8/ctJlmmBngaYQ8G U4zpSGvxcnBTA9U8BXHCR3afkq9rajfOwepm00XJzx3RLb+8BimiWbzOZv419Nxuo6Cc u8kg== X-Gm-Message-State: AOJu0Yx6AwP6+GmBohglAlMt7May5mQ/6LJoSiyA0PkDa1+lsyx6O/RU l9Ifo1ehZRcv/RKsQpC1NcJiooNZRsnSGvB0OxNagM8/slUR3giP45Qe6xX4TA== X-Gm-Gg: AZuq6aJ+nknWc/5yUP/oqv1Lo/bdMx0ctgxvEpyI/EW94fori0AGGQAN1psoLcv5+D6 l8VUpZ4ppcJTdEAX3AZvbo63g4B2LtIa6xZB4TZMeSp6c93vaLlRNJ2HjIdJXrnqtpvYM+aMMRa /O87ow2/sYceD+rhDOZA9pJaAmP6B8lRXn3Od2MjkhO8vkBecqY0ghz5C2SEAG0wIwpPU1xqne8 AxXM4v80LGOTim0D4mCC2QNzTvUj53NY+AWIctklVv13q4Z0nsdhH7Zhg83/LfM9EIKL7N1vqBC x0d6oFsYMC9kI8yMTkObxuTraEI+QPG9N4wNMOE1IFy34YLsNTqLfWbr9cOOJTDMq5S94+F7txe RMNguoQFyclUut5KVpQZEmzR4GZEQzSqolzAdci0k0k2lOc6MGGtybvD7r71IvjZgWQHHFlzunl 8a7cr7cZl0 X-Received: by 2002:a05:6000:2310:b0:435:bbda:3f4e with SMTP id ffacd0b85a97d-435dd0b0889mr2270311f8f.31.1769518891192; Tue, 27 Jan 2026 05:01:31 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435b1c24a8asm37671577f8f.12.2026.01.27.05.01.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jan 2026 05:01:29 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 14/14] tigervnc: patch CVE-2025-26601 Date: Tue, 27 Jan 2026 14:01:14 +0100 Message-ID: <20260127130116.1902238-15-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260127130116.1902238-1-skandigraun@gmail.com> References: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 13:01:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123953 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26601 Pick the patches that explicitly mention the CVE ID in their commit messages. Signed-off-by: Gyorgy Sarvari --- .../tigervnc/files/CVE-2025-26601-1.patch | 73 ++++++++++ .../tigervnc/files/CVE-2025-26601-2.patch | 87 ++++++++++++ .../tigervnc/files/CVE-2025-26601-3.patch | 54 +++++++ .../tigervnc/files/CVE-2025-26601-4.patch | 134 ++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 4 + 5 files changed, 352 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-1.patch create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-2.patch create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-3.patch create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-4.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-1.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..b55689d5a8 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-1.patch @@ -0,0 +1,73 @@ +From cdbf898b00c53929b6c262f2f089317a67743bc2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH 1/4] sync: Do not let sync objects uninitialized + +From: Olivier Fourdan + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b) + +Part-of: +(cherry picked from commit e708ad021753d603580d314c48b93d3adf459c5f) + +CVE: CVE-2025-26601 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e708ad021753d603580d314c48b93d3adf459c5f] +Signed-off-by: Gyorgy Sarvari +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index fd2ceb042..e55295904 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -329,11 +329,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -401,6 +396,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-2.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..fcf75cb2c6 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-2.patch @@ -0,0 +1,87 @@ +From cf6bdfc924b9891fc4095876161e5140667235c3 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH 2/4] sync: Check values before applying changes + +From: Olivier Fourdan + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit f52cea2f93a0c891494eb3334894442a92368030) + +Part-of: +(cherry picked from commit 330b4068212c02548b53d19c0078ddc75c36a724) + +CVE: CVE-2025-26601 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/330b4068212c02548b53d19c0078ddc75c36a724] +Signed-off-by: Gyorgy Sarvari +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index e55295904..66a52283d 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -350,6 +350,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -378,24 +396,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-3.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..2cfc0388ab --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-3.patch @@ -0,0 +1,54 @@ +From 9350505d96d74f8960e842c1950e85e5b4e889ee Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH 3/4] sync: Do not fail SyncAddTriggerToSyncObject() + +From: Olivier Fourdan + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 8cbc90c8817306af75a60f494ec9dbb1061e50db) + +Part-of: +(cherry picked from commit 043a4e959b8590ff37b72cd3440328ec3e39699f) + +CVE: CVE-2025-26601 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/043a4e959b8590ff37b72cd3440328ec3e39699f] +Signed-off-by: Gyorgy Sarvari +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 66a52283d..8def4adbf 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -199,8 +199,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -408,8 +408,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-4.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..79766000bd --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-4.patch @@ -0,0 +1,134 @@ +From f66811bfc42942f5acde2ec3dca63aa49effd066 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH 4/4] sync: Apply changes last in SyncChangeAlarmAttributes() + +From: Olivier Fourdan + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit c285798984c6bb99e454a33772cde23d394d3dcd) + +Part-of: +(cherry picked from commit a2c0f84c1cd0c92918f08f83f562c2e324cd4cbb) + +CVE: CVE-2025-26601 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/a2c0f84c1cd0c92918f08f83f562c2e324cd4cbb] +Signed-off-by: Gyorgy Sarvari +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 8def4adbf..e2f2c2774 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -799,8 +799,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -816,24 +822,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -843,10 +849,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -855,25 +859,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index f8f53c4c91..0b54720947 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -34,6 +34,10 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26599-1.patch;patchdir=${XORG_S} \ file://CVE-2025-26599-2.patch;patchdir=${XORG_S} \ file://CVE-2025-26600.patch;patchdir=${XORG_S} \ + file://CVE-2025-26601-1.patch;patchdir=${XORG_S} \ + file://CVE-2025-26601-2.patch;patchdir=${XORG_S} \ + file://CVE-2025-26601-3.patch;patchdir=${XORG_S} \ + file://CVE-2025-26601-4.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core