Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26600
Pick the patch that explicitly mentions this CVE ID in its commit message. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../tigervnc/files/CVE-2025-26600.patch | 70 +++++++++++++++++++ .../tigervnc/tigervnc_1.11.0.bb | 1 + 2 files changed, 71 insertions(+) create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch new file mode 100644 index 0000000000..39b297c705 --- /dev/null +++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch @@ -0,0 +1,70 @@ +From 4776fc7f70250df69cd1000196d08ba2c5e57894 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +From: Olivier Fourdan <[email protected]> + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <[email protected]> +Reviewed-by: Peter Hutterer <[email protected]> +(cherry picked from commit 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14) + +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830> +(cherry picked from commit 826cef825fe49a275deb28e85b8c714b697f5efa) + +CVE: CVE-2025-26600 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/826cef825fe49a275deb28e85b8c714b697f5efa] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 7776498f8..deac30908 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -949,6 +949,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1013,6 +1030,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 1a2b4df7af..f8f53c4c91 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -33,6 +33,7 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht file://CVE-2025-26598.patch;patchdir=${XORG_S} \ file://CVE-2025-26599-1.patch;patchdir=${XORG_S} \ file://CVE-2025-26599-2.patch;patchdir=${XORG_S} \ + file://CVE-2025-26600.patch;patchdir=${XORG_S} \ " # Keep sync with xorg-server in oe-core
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123954): https://lists.openembedded.org/g/openembedded-devel/message/123954 Mute This Topic: https://lists.openembedded.org/mt/117487442/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
