Your message dated Tue, 02 Jun 2026 09:34:40 +0000
with message-id <[email protected]>
and subject line Bug#1138680: fixed in xorg-server 2:21.1.23-1
has caused the Debian Bug report #1138680,
regarding xorg-server: multiple security issues fixed in X.Org X server in June
2026 release
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xorg-server
Version: 2:21.1.22-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
>From https://lists.x.org/archives/xorg-announce/2026-June/003702.html:
=======================================================================
X.Org Security Advisory: June 2, 2026
Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
=======================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.23 and xwayland-24.1.12.
Note that CVEs have been requested for these issues but did not get assigned in
time for this disclosure.
* Font Alias Stack-based Buffer Overflow
A mismatch between the X server and the libXfont2 library's maximum
font name length can cause a stack buffer overflow during font alias
resolution. The server allocates a 256 byte stack buffer but libXfont2's
alias target name length is 1024 bytes. A font alias name between 257
and 1023 bytes causes the X server to copy that name into the undersized
stack buffer without further checks.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)
* XSYNC Use-After-Free in miSyncDestroyFence()
A client that sets up multiple fence triggers can trigger a
use-after-free function pointer call. An attacker would connect to the
X server to set up a fence and await that fence, then a second X
connection destroys the fence, causing the use-after-free.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)
* XKB Key Types Stack-based Buffer Overflow
The X server has multiple stack buffers that are sized
XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
or clamp non-canonical key types to XkbMaxShiftLevel. A client can
change key types to excessive shift levels and trigger three separate
stack overflows.
This is caused by an incomplete fix of CVE-2025-26597.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)
* XKB SetMap Request Stack-based Buffer Overflow
_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
indexed by key type index. The helper function CheckKeyTypes() writes
to this buffer at a client-controlled offset, allowing a stack buffer
overflow.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)
* XSYNC Use-After-Free in FreeCounter()
A client that sets up multiple SyncCounters and awaits on those
triggers can trigger a use-after-free when destroying those counters
via a second client connection.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)
* XSYNC Use-After-Free in SyncChangeCounter()
A client that sets up multiple SyncCounters can trigger a use-after-free
when destroying those counters via a second client connection while
changing those counters.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
can read (or write) a client-controlled number of bytes, exceeding
the request buffer.
The write path requires byte-swapped clients which is disabled by
default.
The read can lead to information disclosure, the write can be used
to crash the server, or for privilege escalation if the X server runs
as root.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)
* CreateSaverWindow Use-After-Free Information Disclosure
A client can trigger a use-after-free read after changing window
attributes and forcing the screen saver. This can lead to information
disclosure.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
A client that requests multiple DRI2BufferBackLeft attachments and one
DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.
So far no CVEs assigned.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xorg-server
Source-Version: 2:21.1.23-1
Done: Timo Aaltonen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 12:15:12 +0300
Source: xorg-server
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2:21.1.23-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1138680
Changes:
xorg-server (2:21.1.23-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1138680)
Checksums-Sha1:
e1cf7aabba97402f0ef9e1368ed9ddb55aeedc7b 4302 xorg-server_21.1.23-1.dsc
35ea23826806442b4acaffa653a769645fc2cfbf 9031952
xorg-server_21.1.23.orig.tar.gz
7cebdc42de39c9959595554f4d88b609c1d0acd7 195
xorg-server_21.1.23.orig.tar.gz.asc
1882245dd56d8bdfc5cd299f3b94ef99bc20f5fc 178282 xorg-server_21.1.23-1.diff.gz
79977dea8404bab0fbe61f8c6529489baa54c432 11896
xorg-server_21.1.23-1_source.buildinfo
Checksums-Sha256:
fd7718de38682ae98f1eeee165fadd6b888a5f6e1c3a9d4b272ac94d66140c43 4302
xorg-server_21.1.23-1.dsc
d81f4bea5eaf7e5c299bfeb52d54bab7e17ea72997b10fc9907712fccf9a64d5 9031952
xorg-server_21.1.23.orig.tar.gz
14cc73ac88297d9426e0dfc9ef7e11afd6cfadebb1c13627af7b2d2a307d3ff9 195
xorg-server_21.1.23.orig.tar.gz.asc
732c970a3951cbb332fe6d3875cd9b1b039ff1befbb046cd7c7017e2171cdd83 178282
xorg-server_21.1.23-1.diff.gz
9c3de672a789bc9f3a0aef09b28032d1493dd2aab652fd491500868f80816fb5 11896
xorg-server_21.1.23-1_source.buildinfo
Files:
0b9c6f7787dee3c4978a43ec9fb52f12 4302 x11 optional xorg-server_21.1.23-1.dsc
03bc57460a69a6a4469032196666d93d 9031952 x11 optional
xorg-server_21.1.23.orig.tar.gz
87d3ba228b32153212dd4ba7ca71368e 195 x11 optional
xorg-server_21.1.23.orig.tar.gz.asc
68d102223ba50036ba8ee1d6bfc0630d 178282 x11 optional
xorg-server_21.1.23-1.diff.gz
c114e5df1226ca678f0918a8adc5fc8d 11896 x11 optional
xorg-server_21.1.23-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmoenywACgkQy3AxZaiJ
hNxo+w/9FGhgoHgHSb9OsIOSyNUQRtuSB1IZBqqUrjFKxl5JVygBUAX4wYKU+IFx
sMf4546fw5z3ocT3clmCfEJLzpgzqAu2ch3haYtZfmym88MwC1BEl5GQQOI6OgKU
Z679EY1ucnqV3jH5wuBBFPfjGAK5anZf5hILLXHihlhbM2NknDptPQ4FWg10kH7J
oqIIeg0khUan3X0cX5E55YtbzQojAewkcjV08y1mxFsKKvrujpy+Ph9WU2Amp4xW
PFpKP0DNEcV3TznS1FDfvBSHjiMuEyWPuXPFcjTlgXJZb2yJuZig2EmqW5JK9WHH
XoOK5CAm5RAQlAnae7TqN62UjQ37fAh7nF9DM4cTt5/H22nyViw4y0oYMCLYZRNs
Ap8dyn2u8L4l6R1lHVBhgKW5bmUKnp0mQa5fKGzmgpqZDr3ImltlBKHzTM8uJaK9
/ohkpnEFR/slIeHoGAP4La4V6DKaOgjS8eeM5aSdXnVsafjIBFTO1FN0Etoonx4u
CxSzaS2swAJ/A7ylE4F8RDIYBrszyVgytrDfg5l4wnsrDClib1pryMXVarb29yXw
lQ2KceIurTpx6KDMR7tttzCS76VtKsP6ATB6d8J1icZ77ZZBuTOqUgF1tb5qlVgc
y/FhQy30rbpiMjs8wAxziSqMOEpbitFyqdR9c51ZfFPYHhevvvY=
=paOL
-----END PGP SIGNATURE-----
pgpq7EZ0V_3bf.pgp
Description: PGP signature
--- End Message ---
