Alex Goins (1):
glamor: Update pixmap's devKind when making it exportable
Arthur Williams (1):
include: Increase the number of max. input devices to 256.
Bernhard Übelacker (1):
os: Fix instruction pointer written in xorg_backtrace
Greg V (1):
xwayland: use drmGetNodeTypeFromFd for checking if a node is a render one
Kishore Kadiyala (1):
modesetting: keep going if a modeset fails on EnterVT
Martin Peres (1):
modesetting: check the kms state on EnterVT
Matt Turner (1):
xserver 1.20.10
Matthieu Herrb (2):
Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows
Check SetMap request length carefully.
Michel Dänzer (10):
glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling
xfree86: Take second reference for SavedCursor in xf86CursorSetCursor
present/wnmd: Can't use page flipping for windows clipped by children
xwayland: Check window pixmap in xwl_present_check_flip2
present/wnmd: Remove dead check from present_wnmd_check_flip
present: Move flip target_msc adjustment out of present_vblank_create
present: Add present_vblank::exec_msc field
present/wnmd: Move up present_wnmd_queue_vblank
present/wnmd: Execute copies at target_msc-1 already
present/wnmd: Translate update region to screen space
Olivier Fourdan (8):
Revert "linux: Fix platform device probe for DT-based PCI"
Revert "linux: Fix platform device PCI detection for complex bus topologies"
Revert "linux: Make platform device probe less fragile"
xwayland: Do not discard frame callbacks on allow commits
xwayland: Remove pending stream reference when freeing
xwayland: non-rootless requires the wl_shell protocol
xwayland: Create an xwl_window for toplevel only
configure: Build hashtable for Xres and glvnd
xorg-server 1.20.9, couldn't find a tarball).
X.Org security advisory: July 31, 2020
X Server Pixel Data Uninitialized Memory Information Disclosure
===============================================================
CVE-2020-14347
Allocation for pixmap data in AllocatePixmap() does not initialize the
memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.
This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in the
client.
Patch
=====
A patch for this issue has been commited to the xorg server git
repository. xorg-server 1.20.9 will be released shortly and will
include this patch.
https://gitlab.freedesktop.org/xorg/xserver.git
diff --git a/dix/pixmap.c b/dix/pixmap.c
index 1186d7dbb..5a0146bbb 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
return NullPixmap;
- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
if (!pPixmap)
return NullPixmap;
Thanks
======
This vulnerability was discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
1.20.6
A variety of bugfixes across the board, primarily in Xwayland and PRIME.
This release also includes GLX vendor selection support. Thanks to all
who contributed with testing and fixes!
Aaron Plattner (3):
GLX: Set GlxServerExports::{major,minor}Version
xfree86: Call ScreenInit for protocol screens before GPU screens
os: Don't crash in AttendClient if the client is gone
Adam Jackson (7):
xwayland: Expand the RANDR screen size limits
miext/sync: Fix needless ABI change
glx: Fix previous context validation in xorgGlxMakeCurrent
meson: Fix another reference to "gl" 9.2.0
meson: Apparently 1.2 is < 1.2.0
mi: Add a default no-op miSourceValidate
dix: Call SourceValidate before GetImage
Alex Goins (5):
xsync: Add resource inside of SyncCreate, export SyncCreate
randr: Fix RRCrtcDetachScanoutPixmap() segfault during server teardown
modesetting: Fix ms_covering_crtc() segfault with non-modesetting slave primary
modesetting: Fix ms_covering_crtc() segfault with non-xf86Crtc slave
modesetting: Implement ms_covering_randr_crtc() for ms_present_get_crtc()
Alexander Tsoy (1):
configure: Set libdrm flags correctly if only XORG is enabled
Alexander Volkov (1):
shm: Use memfd_create when possible
Andres Rodriguez (1):
xf86: Disable unused crtc functions when a lease is revoked
Carlos Garnacho (4):
xwayland: Reset scheduled frames after hiding tablet cursor
xwayland: Separate DamagePtr into separate window data
xwayland: Refactor surface creation into a separate function
xwayland: Handle the case of windows being realized before redirection
Eric Anholt (2):
shm: reindent shm_tmpfile to follow our standards.
shm: Pick the shm dir at run time, not build time.
Hans de Goede (1):
glamor/xwayland: Define EGL_NO_X11
Kyle Brenneman (3):
GLX: Add a per-client vendor mapping.
GLX: Use the sending client for looking up XID's
GLX: Add a function to change a clients vendor list.
Marco Trevisan (Treviño) (1):
Xi: Use current device active grab to deliver touch events if any
Marvin Schmidt (1):
build: glx: Lower gl version to work with libglvnd
Matt Roper (1):
dri2: Sync i965_pci_ids.h from mesa
Matt Turner (3):
dix: Assert noPanoramiXExtension is false in PanoramiX code
xfree86: Test presence of isastream()
xserver 1.20.6
Michel Dänzer (2):
Revert "present/scmd: Check that the flip and screen pixmap pitches match"
miext/sync: Make struct _SyncObject::initialized fully ABI compatible
Olivier Fourdan (7):
xwayland: Avoid a crash on pointer enter with a grab
xwayland: Check status in GBM pixmap creation
glamor: Make pixmap exportable from `gbm_bo_from_pixmap()`
xwayland: Update screen pixmap on output resize
xwayland: Do not free a NULL GBM bo
compiler.h: Do not include sys/io.h on ARM with glibc
present/wnmd: Relax assertion on CRTC on abort_vblank()
Samuel Thibault (2):
Fix crash on XkbSetMap
Fix crash on XkbSetMap
Sven Joachim (1):
modesetting: Fix broken manpage in autoconf build
1.20.5
Minor bugfix release to fix some input, Xwayland, glamor, and Present
issues. Thanks to all who contributed fixes and testing.
Adam Jackson (1):
xserver 1.20.5
Michel Dänzer (3):
Revert "gitlab-ci: Only run docker-image stage if relevant source files change"
xwayland/present: Destroy sync_callback in xwl_present_cleanup
present/scmd: Check that the flip and screen pixmap pitches match
Olivier Fourdan (2):
xwayland: search for a render node to use
glamor: pixmap FBO may not be allocated
Peter Hutterer (2):
xwayland: fix a realloc OOM error case
dix: leave last.valuators alone on slave switch
Ray Strode (1):
dix: ensure work queues are cleared on reset
XWayland is a fully fledged X server implementation that acts as a proxy
between X11 clients and a Wayland compositor.
It runs as a specialized Wayland client, while optionally using a set of
XWayland specific Wayland protocols for implementing certain functionality.
The Wayland compositor acts both as the Wayland display server XWayland
connects to, as well as the window manager.
> Mark xephyr as not for Darwin for now.
>
> Should be possible to support but the Darwin xorg-server build assumes
> it is going to build xquartz and nothing else.
Classic description of "broken" :-)
1.17.4:
Fixes an uninitialized fd_set
1.17.3:
Various bugfixes across the board. The most visible changes include
fixing GLX extension setup under Xwayland and other non-Xorg servers
(enabling core contexts in more scenarios), and various stability fixes
to glamor and the Present extension.
A kdrive based X Server which targets a window on a host X Server as its
framebuffer.
Unlike Xnest it supports modern X extensions (even if host server
doesn't) such as Composite, Damage, randr etc (no GLX support now). It
uses SHM Images and shadow framebuffer updates to provide good
performance. It also has a visual debugging mode for observing screen
updates.