diff -Nru xwayland-23.2.4/Xi/xipassivegrab.c xwayland-23.2.6/Xi/xipassivegrab.c --- xwayland-23.2.4/Xi/xipassivegrab.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/Xi/xipassivegrab.c 2024-04-09 09:23:44.000000000 +0000 @@ -93,6 +93,7 @@ GrabParameters param; void *tmp; int mask_len; + uint32_t length; REQUEST(xXIPassiveGrabDeviceReq); REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, @@ -247,9 +248,11 @@ } } + /* save the value before SRepXIPassiveGrabDevice swaps it */ + length = rep.length; WriteReplyToClient(client, sizeof(rep), &rep); if (rep.num_modifiers) - WriteToClient(client, rep.length * 4, modifiers_failed); + WriteToClient(client, length * 4, modifiers_failed); out: free(modifiers_failed); diff -Nru xwayland-23.2.4/Xi/xiselectev.c xwayland-23.2.6/Xi/xiselectev.c --- xwayland-23.2.4/Xi/xiselectev.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/Xi/xiselectev.c 2024-04-09 09:23:44.000000000 +0000 @@ -349,6 +349,7 @@ InputClientsPtr others = NULL; xXIEventMask *evmask = NULL; DeviceIntPtr dev; + uint32_t length; REQUEST(xXIGetSelectedEventsReq); REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); @@ -418,10 +419,12 @@ } } + /* save the value before SRepXIGetSelectedEvents swaps it */ + length = reply.length; WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); if (reply.num_masks) - WriteToClient(client, reply.length * 4, buffer); + WriteToClient(client, length * 4, buffer); free(buffer); return Success; diff -Nru xwayland-23.2.4/debian/changelog xwayland-23.2.6/debian/changelog --- xwayland-23.2.4/debian/changelog 2024-03-31 17:33:08.000000000 +0000 +++ xwayland-23.2.6/debian/changelog 2024-04-13 13:58:45.000000000 +0000 @@ -1,20 +1,12 @@ -xwayland (2:23.2.4-1build3) noble; urgency=medium +xwayland (2:23.2.6-1) unstable; urgency=medium - * No-change rebuild for CVE-2024-3094 + * New upstream release. + - CVE-2024-31080 + - CVE-2024-31081 + - CVE-2024-31083 + * control: Add libtirpc-dev to build-depends. (Closes: #1065184) - -- Steve Langasek Sun, 31 Mar 2024 17:33:08 +0000 - -xwayland (2:23.2.4-1build2) noble; urgency=medium - - * No-change rebuild for libtirpc t64. - - -- Matthias Klose Sat, 02 Mar 2024 21:31:26 +0100 - -xwayland (2:23.2.4-1build1) noble; urgency=medium - - * No-change rebuild against libtirpc3t64 - - -- Steve Langasek Thu, 29 Feb 2024 09:34:24 +0000 + -- Timo Aaltonen Sat, 13 Apr 2024 16:58:45 +0300 xwayland (2:23.2.4-1) unstable; urgency=medium diff -Nru xwayland-23.2.4/debian/control xwayland-23.2.6/debian/control --- xwayland-23.2.4/debian/control 2024-02-29 09:34:24.000000000 +0000 +++ xwayland-23.2.6/debian/control 2024-04-13 13:50:59.000000000 +0000 @@ -1,8 +1,7 @@ Source: xwayland Section: x11 Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Debian X Strike Force +Maintainer: Debian X Strike Force Uploaders: Timo Aaltonen Build-Depends: debhelper-compat (= 13), @@ -16,6 +15,7 @@ libgbm-dev, libnvidia-egl-wayland-dev, libpixman-1-dev, + libtirpc-dev, libxcvt-dev, libxfont-dev, libxkbfile-dev, diff -Nru xwayland-23.2.4/dix/enterleave.c xwayland-23.2.6/dix/enterleave.c --- xwayland-23.2.4/dix/enterleave.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/dix/enterleave.c 2024-04-09 09:23:44.000000000 +0000 @@ -619,11 +619,11 @@ ev->first_valuator = first; switch (ev->num_valuators) { case 6: - ev->valuator2 = v->axisVal[first + 5]; + ev->valuator5 = v->axisVal[first + 5]; case 5: - ev->valuator2 = v->axisVal[first + 4]; + ev->valuator4 = v->axisVal[first + 4]; case 4: - ev->valuator2 = v->axisVal[first + 3]; + ev->valuator3 = v->axisVal[first + 3]; case 3: ev->valuator2 = v->axisVal[first + 2]; case 2: diff -Nru xwayland-23.2.4/hw/xwayland/xwayland-glamor.c xwayland-23.2.6/hw/xwayland/xwayland-glamor.c --- xwayland-23.2.4/hw/xwayland/xwayland-glamor.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/hw/xwayland/xwayland-glamor.c 2024-04-09 09:23:44.000000000 +0000 @@ -214,7 +214,7 @@ static Bool xwl_get_formats(struct xwl_format *format_array, int format_array_len, - uint32_t *num_formats, uint32_t **formats) + CARD32 *num_formats, CARD32 **formats) { *num_formats = 0; *formats = NULL; @@ -235,9 +235,9 @@ static Bool xwl_get_formats_for_device(struct xwl_dmabuf_feedback *xwl_feedback, drmDevice *device, - uint32_t *num_formats, uint32_t **formats) + CARD32 *num_formats, CARD32 **formats) { - uint32_t *ret = NULL; + CARD32 *ret = NULL; uint32_t count = 0; /* go through all matching sets of tranches for the window's device */ diff -Nru xwayland-23.2.4/hw/xwayland/xwayland-input.c xwayland-23.2.6/hw/xwayland/xwayland-input.c --- xwayland-23.2.4/hw/xwayland/xwayland-input.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/hw/xwayland/xwayland-input.c 2024-04-09 09:23:44.000000000 +0000 @@ -313,6 +313,13 @@ axes_labels[0] = XIGetKnownProperty(AXIS_LABEL_PROP_REL_X); axes_labels[1] = XIGetKnownProperty(AXIS_LABEL_PROP_REL_Y); + /* + * We'll never send buttons, but XGetPointerMapping might in certain + * situations make the client think we have no buttons. + */ + if (!init_pointer_buttons(device)) + return BadValue; + if (!InitValuatorClassDeviceStruct(device, NAXES, axes_labels, GetMotionHistorySize(), Relative)) return BadValue; diff -Nru xwayland-23.2.4/meson.build xwayland-23.2.6/meson.build --- xwayland-23.2.4/meson.build 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/meson.build 2024-04-09 09:23:44.000000000 +0000 @@ -3,10 +3,10 @@ 'buildtype=debugoptimized', 'c_std=gnu99', ], - version: '23.2.4', + version: '23.2.6', meson_version: '>= 0.52.0', ) -release_date = '2024-01-16' +release_date = '2024-04-09' add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc']) cc = meson.get_compiler('c') diff -Nru xwayland-23.2.4/render/glyph.c xwayland-23.2.6/render/glyph.c --- xwayland-23.2.4/render/glyph.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/render/glyph.c 2024-04-09 09:23:44.000000000 +0000 @@ -245,10 +245,11 @@ } } -static void +void FreeGlyph(GlyphPtr glyph, int format) { CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); + BUG_RETURN(glyph->refcnt == 0); if (--glyph->refcnt == 0) { GlyphRefPtr gr; int i; @@ -290,8 +291,6 @@ gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, TRUE, glyph->sha1); if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { - FreeGlyphPicture(glyph); - dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); glyph = gr->glyph; } else if (gr->glyph != glyph) { @@ -354,7 +353,7 @@ glyph = (GlyphPtr) malloc(size); if (!glyph) return 0; - glyph->refcnt = 0; + glyph->refcnt = 1; glyph->size = size + sizeof(xGlyphInfo); glyph->info = *gi; dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); diff -Nru xwayland-23.2.4/render/glyphstr.h xwayland-23.2.6/render/glyphstr.h --- xwayland-23.2.4/render/glyphstr.h 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/render/glyphstr.h 2024-04-09 09:23:44.000000000 +0000 @@ -102,6 +102,9 @@ extern void AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id); +extern void +FreeGlyph(GlyphPtr glyph, int format); + extern Bool DeleteGlyph(GlyphSetPtr glyphSet, Glyph id); diff -Nru xwayland-23.2.4/render/render.c xwayland-23.2.6/render/render.c --- xwayland-23.2.4/render/render.c 2024-01-16 09:38:49.000000000 +0000 +++ xwayland-23.2.6/render/render.c 2024-04-09 09:23:44.000000000 +0000 @@ -1076,6 +1076,7 @@ if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { glyph_new->found = TRUE; + ++glyph_new->glyph->refcnt; } else { GlyphPtr glyph; @@ -1168,8 +1169,10 @@ err = BadAlloc; goto bail; } - for (i = 0; i < nglyphs; i++) + for (i = 0; i < nglyphs; i++) { AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); + FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); + } if (glyphsBase != glyphsLocal) free(glyphsBase); @@ -1179,9 +1182,13 @@ FreePicture((void *) pSrc, 0); if (pSrcPix) FreeScratchPixmapHeader(pSrcPix); - for (i = 0; i < nglyphs; i++) - if (glyphs[i].glyph && !glyphs[i].found) - free(glyphs[i].glyph); + for (i = 0; i < nglyphs; i++) { + if (glyphs[i].glyph) { + --glyphs[i].glyph->refcnt; + if (!glyphs[i].found) + free(glyphs[i].glyph); + } + } if (glyphsBase != glyphsLocal) free(glyphsBase); return err;