Your message dated Tue, 02 Jun 2026 09:19:33 +0000
with message-id <[email protected]>
and subject line Bug#1138680: fixed in xwayland 2:24.1.12-1
has caused the Debian Bug report #1138680,
regarding xorg-server: multiple security issues fixed in X.Org X server in June
2026 release
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138680
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xorg-server
Version: 2:21.1.22-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
>From https://lists.x.org/archives/xorg-announce/2026-June/003702.html:
=======================================================================
X.Org Security Advisory: June 2, 2026
Issues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12
=======================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.23 and xwayland-24.1.12.
Note that CVEs have been requested for these issues but did not get assigned in
time for this disclosure.
* Font Alias Stack-based Buffer Overflow
A mismatch between the X server and the libXfont2 library's maximum
font name length can cause a stack buffer overflow during font alias
resolution. The server allocates a 256 byte stack buffer but libXfont2's
alias target name length is 1024 bytes. A font alias name between 257
and 1023 bytes causes the X server to copy that name into the undersized
stack buffer without further checks.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30136)
* XSYNC Use-After-Free in miSyncDestroyFence()
A client that sets up multiple fence triggers can trigger a
use-after-free function pointer call. An attacker would connect to the
X server to set up a fence and await that fence, then a second X
connection destroys the fence, causing the use-after-free.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30159)
* XKB Key Types Stack-based Buffer Overflow
The X server has multiple stack buffers that are sized
XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify
or clamp non-canonical key types to XkbMaxShiftLevel. A client can
change key types to excessive shift levels and trigger three separate
stack overflows.
This is caused by an incomplete fix of CVE-2025-26597.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30160)
* XKB SetMap Request Stack-based Buffer Overflow
_XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]
indexed by key type index. The helper function CheckKeyTypes() writes
to this buffer at a client-controlled offset, allowing a stack buffer
overflow.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/867b59b33bee669cb412f1314e47c52eacf6e00b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30161)
* XSYNC Use-After-Free in FreeCounter()
A client that sets up multiple SyncCounters and awaits on those
triggers can trigger a use-after-free when destroying those counters
via a second client connection.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30163)
* XSYNC Use-After-Free in SyncChangeCounter()
A client that sets up multiple SyncCounters can trigger a use-after-free
when destroying those counters via a second client connection while
changing those counters.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdd7bf57af208b1ddf57d4683d67104443b44812
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30164)
* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write
A wrong size validation check in __glXDisp_ChangeDrawableAttributes()
can read (or write) a client-controlled number of bytes, exceeding
the request buffer.
The write path requires byte-swapped clients which is disabled by
default.
The read can lead to information disclosure, the write can be used
to crash the server, or for privilege escalation if the X server runs
as root.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/6d459e4daf715bea8abdafa8fb130be2f8a1d145
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30165)
* CreateSaverWindow Use-After-Free Information Disclosure
A client can trigger a use-after-free read after changing window
attributes and forcing the screen saver. This can lead to information
disclosure.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Found by: Anonymous working with TrendAI Zero Day Initiative.
(ZDI-CAN-30168)
* DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write
A client that requests multiple DRI2BufferBackLeft attachments and one
DRI2BufferFrontLeft can trigger an out-of-bounds heap write.
Fixed in: xorg-server-21.1.23 and xwayland-24.1.12
Fix:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/339c279514326134b0878fc23ce6e9520440ce7f
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b7aa65cc3bb11b792ce2a3f511ba9b863acb11c8
Found by: Peter Hutterer, Red Hat.
So far no CVEs assigned.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xwayland
Source-Version: 2:24.1.12-1
Done: Timo Aaltonen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xwayland, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated xwayland package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 11:58:56 +0300
Source: xwayland
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2:24.1.12-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1138680
Changes:
xwayland (2:24.1.12-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1138680)
Checksums-Sha1:
f3f0679ed41d47c4c51ce7b883db5d02b59f94ab 2564 xwayland_24.1.12-1.dsc
4844f1a9fb495ad9c14990a8e230d9c538cf7dbf 1306052 xwayland_24.1.12.orig.tar.xz
2d7ff2f4b9da030cf72b9cf39fb1601b42e2c379 195 xwayland_24.1.12.orig.tar.xz.asc
c69aec998bd171a6913c61470c5162c3eb2128bd 35600 xwayland_24.1.12-1.debian.tar.xz
977d2c2c027f96de3169846f082b79a18b01716f 11201
xwayland_24.1.12-1_source.buildinfo
Checksums-Sha256:
4c20d9267c5fe00c0a1abc9608116e988426410ddfc64c3e77b5b9dbfd3ef43a 2564
xwayland_24.1.12-1.dsc
6df02c511b92c1b9848734d9d1b03a4c24f8375ba3cada44e9684a21b5f78e21 1306052
xwayland_24.1.12.orig.tar.xz
1b2ee4f67ecd653ce4aaa6a73febb6438c0ec6bbd7c49db09c12a40d1464190e 195
xwayland_24.1.12.orig.tar.xz.asc
04de1f5ec6f73f0993640df80ddb892b06869265a91caf2849f2e836bc18e79f 35600
xwayland_24.1.12-1.debian.tar.xz
9e0fcbc30e938194dc03504e1fcfcd426513190a5d0b515d21c26749abb9b73b 11201
xwayland_24.1.12-1_source.buildinfo
Files:
ad33e38f2973732f101daf0d4f5b6648 2564 x11 optional xwayland_24.1.12-1.dsc
0b50c13c4bc2a72a39daf322500cae34 1306052 x11 optional
xwayland_24.1.12.orig.tar.xz
ae871f61bc2cf859157011e83e4b3910 195 x11 optional
xwayland_24.1.12.orig.tar.xz.asc
8a0779b53b58b3ab4167ec38fcdc25a1 35600 x11 optional
xwayland_24.1.12-1.debian.tar.xz
4fd473fcf271d9d5fd60ff206a27689c 11201 x11 optional
xwayland_24.1.12-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmoem1oACgkQy3AxZaiJ
hNyUAg//WyJdEhQtGWGoC3dNNQZcfNIQOGQ/MPxzZs5VH10gP9eXs4C9Qy7znleB
WGlNbl4TR9vHbn1rfxwq/4kgEqUstiGXSXL+asiW26JEspLJtdGxxjIH+5SRWaJM
mSWXZxntpQgbujIbWQN6REfsbKkNWesUwL6yMAIeKWiP1ulqCaIkln5C1R+dUhB1
gPWCD4fY1elJwXyhHrJ0Tt3nxizJM4q+FWfDTCPNT7Ux2VR5gtQEDyv3O4nUP5Qy
XXUGUCG/Kzu7vCefpws37R3QtKVAkH5P1agkjBNu5xQiDek5nU3y6NU/STbwW2+y
dVLdkaLJ30BFuyFU96+9wY03jDKTuqdBXL8HjWMBunyIS9zyfVLFmZxn/9Htpbn/
JxOaJJEcWPyP+admKV0/C2/R4XAnbW0fxyVLzv4G6RUuUZ7sb+RO0cNga2Rrdhui
fDoQTeaUXxcInpn3bZKID4P2aVfIggD6cbaLjIxLm8QlklQqyKeSi3sKTjvCf/uK
T3exLQo0lV/A323+yhzAFrH6iVoFyCb+fKgFB1z628CdJs0MNzWWKeT2nj1U0+/m
gw2Nf1rE/NBmsAR7vEYf4PF6PsxxgxO+q8rXHKLQj3h7T0srP1c5SlG+wcbT1mR6
OU5ZvhUb9cFA75F5StPFBJifSEwYTLqLaYUOzxxk3dxYfTQdgLs=
=Ht0V
-----END PGP SIGNATURE-----
pgpkomD8_X3Pu.pgp
Description: PGP signature
--- End Message ---
