xwayland - Debian Package Tracker

general

source: xwayland (main)
version: 2:24.1.6-1
maintainer: Debian X Strike Force (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 2:22.1.9-1
testing: 2:24.1.6-1
unstable: 2:24.1.6-1

versioned links

2:22.1.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:24.1.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

xwayland (35 bugs: 0, 35, 0, 0)

action needed

A new upstream version is available: 24.1.8 high

A new upstream version 24.1.8 is available, you should consider packaging it.

Created: 2025-06-18 Last update: 2025-07-27 04:31

6 security issues in trixie high

There are 6 open security issues in trixie.

6 important issues:

CVE-2025-49175: A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.
CVE-2025-49176: A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVE-2025-49177: A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
CVE-2025-49178: A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
CVE-2025-49179: A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVE-2025-49180: A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.

Created: 2025-06-17 Last update: 2025-06-27 07:00

6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:

CVE-2025-49175: A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.
CVE-2025-49176: A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVE-2025-49177: A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
CVE-2025-49178: A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
CVE-2025-49179: A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVE-2025-49180: A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.

Created: 2025-06-17 Last update: 2025-06-27 07:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-02-09 Last update: 2025-07-27 08:32

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2:24.1.6-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 84145e011fb98fea74878e07335bd22e9bfed531
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Feb 28 12:40:35 2025 +0200

    Add README.Debian.security
    
    to clarify how the security issues are inherited from the shared codebase with xorg-server, and don't
    actually apply to xwayland.

Created: 2025-02-28 Last update: 2025-07-20 09:01

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-26 Last update: 2025-02-26 22:31

No known security issue in bookworm wishlist

There are 27 open security issues in bookworm.

27 ignored issues:

CVE-2023-5367: A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.
CVE-2023-6377: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
CVE-2023-6478: A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
CVE-2023-6816: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
CVE-2024-0408: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
CVE-2024-0409: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
CVE-2024-9632: A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
CVE-2024-21885: A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.
CVE-2024-21886: A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.
CVE-2024-31080: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31081: A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31083: A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
CVE-2025-26594: A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
CVE-2025-26595: A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
CVE-2025-26596: A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
CVE-2025-26597: A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
CVE-2025-26598: An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
CVE-2025-26599: An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
CVE-2025-26600: A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
CVE-2025-26601: A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
CVE-2025-49175: A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.
CVE-2025-49176: A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVE-2025-49177: A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
CVE-2025-49178: A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
CVE-2025-49179: A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVE-2025-49180: A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.

Created: 2023-10-25 Last update: 2025-06-27 07:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.0).

Created: 2022-05-11 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-03-03] xwayland 2:24.1.6-1 MIGRATED to testing (Debian testing watch)
[2025-02-26] Accepted xwayland 2:24.1.6-1 (source) into unstable (Emilio Pozuelo Monfort)
[2025-02-12] xwayland 2:24.1.5-1 MIGRATED to testing (Debian testing watch)
[2025-02-06] Accepted xwayland 2:24.1.5-1 (source) into unstable (Timo Aaltonen)
[2025-02-01] xwayland 2:24.1.4-3 MIGRATED to testing (Debian testing watch)
[2025-01-27] Accepted xwayland 2:24.1.4-3 (source) into unstable (Timo Aaltonen)
[2024-12-21] xwayland 2:24.1.4-2 MIGRATED to testing (Debian testing watch)
[2024-12-16] Accepted xwayland 2:24.1.4-2 (source) into unstable (Timo Aaltonen)
[2024-11-05] xwayland 2:24.1.4-1 MIGRATED to testing (Debian testing watch)
[2024-10-31] Accepted xwayland 2:24.1.4-1 (source) into unstable (Timo Aaltonen)
[2024-10-21] xwayland 2:24.1.3-1 MIGRATED to testing (Debian testing watch)
[2024-10-16] Accepted xwayland 2:24.1.3-1 (source) into unstable (Timo Aaltonen)
[2024-08-13] xwayland 2:24.1.2-1 MIGRATED to testing (Debian testing watch)
[2024-08-08] Accepted xwayland 2:24.1.2-1 (source) into unstable (Timo Aaltonen)
[2024-05-23] xwayland 2:24.1.0-1 MIGRATED to testing (Debian testing watch)
[2024-05-15] Accepted xwayland 2:24.1.0-1 (source) into unstable (Timo Aaltonen)
[2024-04-29] xwayland 2:23.2.6-1 MIGRATED to testing (Debian testing watch)
[2024-04-26] Accepted xwayland 2:24.0.99.901-1 (source) into experimental (Timo Aaltonen)
[2024-04-13] Accepted xwayland 2:23.2.6-1 (source) into unstable (Timo Aaltonen)
[2024-01-23] xwayland 2:23.2.4-1 MIGRATED to testing (Debian testing watch)
[2024-01-17] Accepted xwayland 2:23.2.4-1 (source) into unstable (Julien Cristau)
[2023-12-18] xwayland 2:23.2.3-1 MIGRATED to testing (Debian testing watch)
[2023-12-13] Accepted xwayland 2:23.2.3-1 (source) into unstable (Timo Aaltonen)
[2023-10-31] xwayland 2:23.2.2-1 MIGRATED to testing (Debian testing watch)
[2023-10-25] Accepted xwayland 2:23.2.2-1 (source) into unstable (Timo Aaltonen)
[2023-09-25] xwayland 2:23.2.1-1 MIGRATED to testing (Debian testing watch)
[2023-09-20] Accepted xwayland 2:23.2.1-1 (source) into unstable (Timo Aaltonen)
[2023-08-21] xwayland 2:23.2.0-1 MIGRATED to testing (Debian testing watch)
[2023-08-16] Accepted xwayland 2:23.2.0-1 (source) into unstable (Timo Aaltonen)
[2023-05-11] Accepted xwayland 2:23.1.1-1 (source) into experimental (Timo Aaltonen)

bugs [bug history graph]

all: 37
RC: 0
I&N: 37
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:24.1.6-1ubuntu1
34 bugs (1 patch)
patches for 2:24.1.6-1ubuntu1