.gitignore

@@ -1 +1 @@
-/xwayland-21.1.3.tar.xz
+SOURCES/xwayland-21.1.3.tar.xz

.xorg-x11-server-Xwayland.metadata

@@ -0,0 +1 @@
+ae980a7deeb7cad9f3cd253f3b1ddca5bb26aafa SOURCES/xwayland-21.1.3.tar.xz

0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch

@@ -1,37 +0,0 @@
-From 4c8de123f04e80a1c14c64064ebcec5497d2ec4b Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Mon, 22 Jan 2024 14:22:12 +1000
-Subject: [PATCH xserver 1/4] dix: fix valuator copy/paste error in the
- DeviceStateNotify event
-
-Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
-
-(cherry picked from commit 133e0d651c5d12bf01999d6289e84e224ba77adc)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1452>
----
- dix/enterleave.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/dix/enterleave.c b/dix/enterleave.c
-index 7b7ba1098..c1e6ac600 100644
---- a/dix/enterleave.c
-+++ b/dix/enterleave.c
-@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
-     ev->first_valuator = first;
-     switch (ev->num_valuators) {
-     case 6:
--        ev->valuator2 = v->axisVal[first + 5];
-+        ev->valuator5 = v->axisVal[first + 5];
-     case 5:
--        ev->valuator2 = v->axisVal[first + 4];
-+        ev->valuator4 = v->axisVal[first + 4];
-     case 4:
--        ev->valuator2 = v->axisVal[first + 3];
-+        ev->valuator3 = v->axisVal[first + 3];
-     case 3:
-         ev->valuator2 = v->axisVal[first + 2];
-     case 2:
--- 
-2.44.0
-

0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch

@@ -1,75 +0,0 @@
-From c3c2218ab797516e4d63a93a078d77c6ce872d03 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 5 Apr 2024 15:24:49 +0200
-Subject: [PATCH xserver] render: Avoid possible double-free in
- ProcRenderAddGlyphs()
-
-ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
-then frees it using FreeGlyph() to decrease the reference count, after
-AddGlyph() has increased it.
-
-AddGlyph() however may chose to reuse an existing glyph if it's already
-in the glyphSet, and free the glyph that was given, in which case the
-caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
-already freed glyph, as reported by ASan:
-
-  READ of size 4 thread T0
-    #0 in FreeGlyph xserver/render/glyph.c:252
-    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
-    #2 in Dispatch xserver/dix/dispatch.c:546
-    #3 in dix_main xserver/dix/main.c:271
-    #4 in main xserver/dix/stubmain.c:34
-    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-    #6 in __libc_start_main_impl ../csu/libc-start.c:360
-    #7  (/usr/bin/Xwayland+0x44fe4)
-  Address is located 0 bytes inside of 64-byte region
-  freed by thread T0 here:
-    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
-    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
-    #2 in AddGlyph xserver/render/glyph.c:295
-    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
-    #4 in Dispatch xserver/dix/dispatch.c:546
-    #5 in dix_main xserver/dix/main.c:271
-    #6 in main xserver/dix/stubmain.c:34
-    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  previously allocated by thread T0 here:
-    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
-    #1 in AllocateGlyph xserver/render/glyph.c:355
-    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
-    #3 in Dispatch xserver/dix/dispatch.c:546
-    #4 in dix_main xserver/dix/main.c:271
-    #5 in main xserver/dix/stubmain.c:34
-    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
-
-To avoid that, make sure not to free the given glyph in AddGlyph().
-
-v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
-v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
-
-Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
-Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1478>
----
- render/glyph.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index d5fc5f3c9..f5069d42f 100644
---- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
-     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
-                       TRUE, glyph->sha1);
-     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
--        FreeGlyphPicture(glyph);
--        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
-         glyph = gr->glyph;
-     }
-     else if (gr->glyph != glyph) {
--- 
-2.44.0
-

0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch

@@ -1,57 +0,0 @@
-From 26120df7aae6b5bf8086fb4d871d3b1a07ddacdb Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Thu, 10 Oct 2024 10:37:28 +0200
-Subject: [PATCH xserver] xkb: Fix buffer overflow in _XkbSetCompatMap()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
-buffer.
-
-However, It didn't update its size properly. It updated `num_si` only,
-without updating `size_si`.
-
-This may lead to local privilege escalation if the server is run as root
-or remote code execution (e.g. x11 over ssh).
-
-CVE-2024-9632, ZDI-CAN-24756
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: José Expósito <jexposit@redhat.com>
-(cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
----
- xkb/xkb.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index 8d52e25df..8b63e34b5 100644
---- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -2990,13 +2990,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
-         XkbSymInterpretPtr sym;
-         unsigned int skipped = 0;
- 
--        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
--            compat->num_si = req->firstSI + req->nSI;
-+        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
-+            compat->num_si = compat->size_si = req->firstSI + req->nSI;
-             compat->sym_interpret = reallocarray(compat->sym_interpret,
--                                                 compat->num_si,
-+                                                 compat->size_si,
-                                                  sizeof(XkbSymInterpretRec));
-             if (!compat->sym_interpret) {
--                compat->num_si = 0;
-+                compat->num_si = compat->size_si = 0;
-                 return BadAlloc;
-             }
-         }
--- 
-2.47.0
-

0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch

@@ -1,47 +0,0 @@
-From bd16cc8368afc6959bebfb2b15cfdb93bcac6fee Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:51:45 -0700
-Subject: [PATCH xserver 2/4] Xi: ProcXIGetSelectedEvents needs to use
- unswapped length to send reply
-
-CVE-2024-31080
-
-Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
-Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-(cherry picked from commit 96798fc1967491c80a4d0c8d9e0a80586cb2152b)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
----
- Xi/xiselectev.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index edcb8a0d3..ac1494987 100644
---- a/Xi/xiselectev.c
-+++ b/Xi/xiselectev.c
-@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
-     InputClientsPtr others = NULL;
-     xXIEventMask *evmask = NULL;
-     DeviceIntPtr dev;
-+    uint32_t length;
- 
-     REQUEST(xXIGetSelectedEventsReq);
-     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
-@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIGetSelectedEvents swaps it */
-+    length = reply.length;
-     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
- 
-     if (reply.num_masks)
--        WriteToClient(client, reply.length * 4, buffer);
-+        WriteToClient(client, length * 4, buffer);
- 
-     free(buffer);
-     return Success;
--- 
-2.44.0
-

0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch

@@ -1,45 +0,0 @@
-From 672b26d1f8e1cbe67d289786e3ce887988052b64 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 22 Mar 2024 18:56:27 -0700
-Subject: [PATCH xserver 3/4] Xi: ProcXIPassiveGrabDevice needs to use
- unswapped length to send reply
-
-CVE-2024-31081
-
-Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-(cherry picked from commit 3e77295f888c67fc7645db5d0c00926a29ffecee)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
----
- Xi/xipassivegrab.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
-index c9ac2f855..896233bec 100644
---- a/Xi/xipassivegrab.c
-+++ b/Xi/xipassivegrab.c
-@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-     GrabParameters param;
-     void *tmp;
-     int mask_len;
-+    uint32_t length;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
-     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
-         }
-     }
- 
-+    /* save the value before SRepXIPassiveGrabDevice swaps it */
-+    length = rep.length;
-     WriteReplyToClient(client, sizeof(rep), &rep);
-     if (rep.num_modifiers)
--        WriteToClient(client, rep.length * 4, modifiers_failed);
-+        WriteToClient(client, length * 4, modifiers_failed);
- 
-  out:
-     free(modifiers_failed);
--- 
-2.44.0
-

0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch

@@ -1,116 +0,0 @@
-From 01941a831811c9fd47ffed5ea96375abeb20c9fc Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 30 Jan 2024 13:13:35 +1000
-Subject: [PATCH xserver 4/4] render: fix refcounting of glyphs during
- ProcRenderAddGlyphs
-
-Previously, AllocateGlyph would return a new glyph with refcount=0 and a
-re-used glyph would end up not changing the refcount at all. The
-resulting glyph_new array would thus have multiple entries pointing to
-the same non-refcounted glyphs.
-
-AddGlyph may free a glyph, resulting in a UAF when the same glyph
-pointer is then later used.
-
-Fix this by returning a refcount of 1 for a new glyph and always
-incrementing the refcount for a re-used glyph, followed by dropping that
-refcount back down again when we're done with it.
-
-CVE-2024-31083, ZDI-CAN-22880
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-(backported from commit bdca6c3d1f5057eeb31609b1280fc93237b00c77)
-
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1464>
----
- render/glyph.c    |  5 +++--
- render/glyphstr.h |  3 +++
- render/render.c   | 15 +++++++++++----
- 3 files changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index f3ed9cf4c..d5fc5f3c9 100644
---- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
-     }
- }
- 
--static void
-+void
- FreeGlyph(GlyphPtr glyph, int format)
- {
-     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
-+    BUG_RETURN(glyph->refcnt == 0);
-     if (--glyph->refcnt == 0) {
-         GlyphRefPtr gr;
-         int i;
-@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
-     glyph = (GlyphPtr) malloc(size);
-     if (!glyph)
-         return 0;
--    glyph->refcnt = 0;
-+    glyph->refcnt = 1;
-     glyph->size = size + sizeof(xGlyphInfo);
-     glyph->info = *gi;
-     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
-diff --git a/render/glyphstr.h b/render/glyphstr.h
-index 2f51bd244..fb6589d3e 100644
---- a/render/glyphstr.h
-+++ b/render/glyphstr.h
-@@ -102,6 +102,9 @@ HashGlyph(xGlyphInfo * gi,
- extern void
-  AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id);
- 
-+extern void
-+FreeGlyph(GlyphPtr glyph, int format);
-+
- extern Bool
-  DeleteGlyph(GlyphSetPtr glyphSet, Glyph id);
- 
-diff --git a/render/render.c b/render/render.c
-index 456f156d4..5bc2a204b 100644
---- a/render/render.c
-+++ b/render/render.c
-@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
- 
-         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
-             glyph_new->found = TRUE;
-+            ++glyph_new->glyph->refcnt;
-         }
-         else {
-             GlyphPtr glyph;
-@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
-         err = BadAlloc;
-         goto bail;
-     }
--    for (i = 0; i < nglyphs; i++)
-+    for (i = 0; i < nglyphs; i++) {
-         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
-+        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
-+    }
- 
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
-         FreePicture((void *) pSrc, 0);
-     if (pSrcPix)
-         FreeScratchPixmapHeader(pSrcPix);
--    for (i = 0; i < nglyphs; i++)
--        if (glyphs[i].glyph && !glyphs[i].found)
--            free(glyphs[i].glyph);
-+    for (i = 0; i < nglyphs; i++) {
-+        if (glyphs[i].glyph) {
-+            --glyphs[i].glyph->refcnt;
-+            if (!glyphs[i].found)
-+                free(glyphs[i].glyph);
-+        }
-+    }
-     if (glyphsBase != glyphsLocal)
-         free(glyphsBase);
-     return err;
--- 
-2.44.0
-

SPECS/xorg-x11-server-Xwayland.spec

@@ -9,7 +9,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   21.1.3
-Release:   17%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Release:   15%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
 
 URL:       http://www.x.org
 %if 0%{?gitdate}
@@ -81,19 +81,6 @@ Patch10037:   0007-dix-when-disabling-a-master-float-disabled-slaved-de.patch
 Patch10038:   0008-glx-Call-XACE-hooks-on-the-GLX-buffer.patch
 # Fix for CVE-2024-0409
 Patch10039:   0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch
-# Fix for copy/paste error in previous CVE fix
-Patch10040:  0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
-# Fix for CVE-2024-31080
-Patch10041:  0002-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
-# Fix for CVE-2024-31081
-Patch10042:  0003-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
-# Fix for CVE-2024-31083, ZDI-CAN-22880
-Patch10043:  0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
-# Fix for the fix for CVE-2024-31083
-# https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
-Patch10044: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
-# Fix for CVE-2024-9632
-Patch10045: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
 
 License:   MIT
 
@@ -201,12 +188,6 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc
 
 %changelog
-* Wed Oct 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-17
-- Fix for CVE-2024-9632 - (RHEL-61995)
-
-* Thu Apr  4 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-16
-- CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
-
 * Tue Jan 16 2024 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-15
   Fix for CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886,
   CVE-2024-0408, CVE-2024-0409

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

sources

@@ -1 +0,0 @@
-SHA512 (xwayland-21.1.3.tar.xz) = 24147ef788cce3fa16cd5604d293ffbe7ef4c6dc5fc2b1a1018d78ca4c0f10ade7b99c1ad6a8cdca5c581ff40f5834d7e34b2a314acca665a527eed700993594