Описание
Security update for xorg-x11-server
This update for xorg-x11-server fixes the following issues:
- CVE-2025-26594: Use-after-free of the root cursor (bsc#1237427).
- CVE-2025-26595: Buffer overflow in XkbVModMaskText() (bsc#1237429).
- CVE-2025-26596: Heap overflow in XkbWriteKeySyms() (bsc#1237430).
- CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey() (bsc#1237431).
- CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() (bsc#1237432).
- CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() (bsc#1237433).
- CVE-2025-26600: Use-after-free in PlayReleasedEvents() (bsc#1237434).
- CVE-2025-26601: Use-after-free in SyncInitTrigger() (bsc#1237435).
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Linux Enterprise Workstation Extension 15 SP6
Ссылки
- Link for SUSE-SU-2025:0733-1
- E-Mail link for SUSE-SU-2025:0733-1
- SUSE Security Ratings
- SUSE Bug 1237427
- SUSE Bug 1237429
- SUSE Bug 1237430
- SUSE Bug 1237431
- SUSE Bug 1237432
- SUSE Bug 1237433
- SUSE Bug 1237434
- SUSE Bug 1237435
- SUSE CVE CVE-2025-26594 page
- SUSE CVE CVE-2025-26595 page
- SUSE CVE CVE-2025-26596 page
- SUSE CVE CVE-2025-26597 page
- SUSE CVE CVE-2025-26598 page
- SUSE CVE CVE-2025-26599 page
- SUSE CVE CVE-2025-26600 page
- SUSE CVE CVE-2025-26601 page
Описание
A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
Затронутые продукты
Ссылки
- CVE-2025-26594
- SUSE Bug 1237427
Описание
A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
Затронутые продукты
Ссылки
- CVE-2025-26595
- SUSE Bug 1237429
Описание
A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2025-26596
- SUSE Bug 1237430
Описание
A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
Затронутые продукты
Ссылки
- CVE-2025-26597
- SUSE Bug 1237431
Описание
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
Затронутые продукты
Ссылки
- CVE-2025-26598
- SUSE Bug 1237432
Описание
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
Затронутые продукты
Ссылки
- CVE-2025-26599
- SUSE Bug 1237433
Описание
A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
Затронутые продукты
Ссылки
- CVE-2025-26600
- SUSE Bug 1237434
Описание
A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Затронутые продукты
Ссылки
- CVE-2025-26601
- SUSE Bug 1237435