xorg-x11-server-1.20.11-28.el9_6

エラータID: AXSA:2025-10229:01

Release date: 
Monday, June 30, 2025 - 18:27
Subject: 
xorg-x11-server-1.20.11-28.el9_6
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.

Security Fix(es):

* xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability (CVE-2024-9632)
* X.Org: Xwayland: Use-after-free of the root cursor (CVE-2025-26594)
* xorg: xwayland: Use-after-free in SyncInitTrigger() (CVE-2025-26601)
* xorg: xwayland: Use-after-free in PlayReleasedEvents() (CVE-2025-26600)
* xorg: xwayland: Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599)
* xorg: xwayland: Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598)
* xorg: xwayland: Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597)
* xorg: xwayland: Heap overflow in XkbWriteKeySyms() (CVE-2025-26596)
* Xorg: xwayland: Buffer overflow in XkbVModMaskText() (CVE-2025-26595)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9 Release Notes linked from the References section.

CVE-2024-9632
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
CVE-2025-26594
A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
CVE-2025-26595
A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
CVE-2025-26596
A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
CVE-2025-26597
A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
CVE-2025-26598
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
CVE-2025-26599
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
CVE-2025-26600
A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
CVE-2025-26601
A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.

Solution: 

Update packages.

CVEs: 
CVE-2024-9632
A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
CVE-2025-26594
A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
CVE-2025-26595
A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
CVE-2025-26596
A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
CVE-2025-26597
A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
CVE-2025-26598
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
CVE-2025-26599
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
CVE-2025-26600
A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
CVE-2025-26601
A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Additional Info: 

N/A

Download: 

SRPMS
  1. xorg-x11-server-1.20.11-28.el9_6.src.rpm
    MD5: 28968797835ce4f3676e267c30a8c97e
    SHA-256: 9785836a3c47650c19bfe0f949d6d4414fb7b5c0e359f067b551df57aeaf921c
    Size: 6.30 MB

Asianux Server 9 for x86_64
  1. xorg-x11-server-common-1.20.11-28.el9_6.x86_64.rpm
    MD5: 19101fe18cdbc3a616456761b36e6699
    SHA-256: 9b38f46557e55d9d5e1e4a1ca855109b67a27518b18097921058c56904ea33fe
    Size: 33.93 kB
  2. xorg-x11-server-devel-1.20.11-28.el9_6.i686.rpm
    MD5: ab00613a25d9f71056d246f5c0266b34
    SHA-256: 6bbb83370e9f8e406a84fe8304d275924ed9f25304d398cbe226b1b347837f10
    Size: 251.45 kB
  3. xorg-x11-server-devel-1.20.11-28.el9_6.x86_64.rpm
    MD5: 14c38b9a92a109a2b2e7b58601bdf42d
    SHA-256: e47feeffbd5a2ad1bfd43fb41d4f69a25f07abc4902c71df318b812c48bde748
    Size: 251.52 kB
  4. xorg-x11-server-source-1.20.11-28.el9_6.noarch.rpm
    MD5: 53d3740de5716207644f008934c6151c
    SHA-256: 276d3317f2c39feaf4539b479135b7db6e34f654eafc7a0abf5f015ae5d040fd
    Size: 2.37 MB
  5. xorg-x11-server-Xdmx-1.20.11-28.el9_6.x86_64.rpm
    MD5: 32c310e7dc1c9d61786a74099120faf9
    SHA-256: 73f1bb33fd2ebca88c212b3af0c0d44361ccbe32ba823988ca11ce4a1140af1a
    Size: 899.28 kB
  6. xorg-x11-server-Xephyr-1.20.11-28.el9_6.x86_64.rpm
    MD5: 4d5d860b6b1a86ffdc2a5991ea60e3a9
    SHA-256: 219b31ae8f21f544cc6f2512965d5c8bab940863bf9b335b58e6a714ec67a179
    Size: 1.01 MB
  7. xorg-x11-server-Xnest-1.20.11-28.el9_6.x86_64.rpm
    MD5: 70a7a66bbf0f6ba7cf6586bfefb75393
    SHA-256: 9612490629db3c0e16ed8e4cc5658acffa9f4728525ee757c17fbb849c9bcd73
    Size: 718.24 kB
  8. xorg-x11-server-Xorg-1.20.11-28.el9_6.x86_64.rpm
    MD5: 1000f7110a121b6b26c9524cebfd30b3
    SHA-256: 070056e197e326bde6219b47b0466aaa6723157e98415aa4ba5b42841fdd17b8
    Size: 1.46 MB
  9. xorg-x11-server-Xvfb-1.20.11-28.el9_6.x86_64.rpm
    MD5: 0c70b84a6bbb94fded8378adc48a979c
    SHA-256: 208f72ea514bc8af90fbf8836a1b5ef536155f23768d695f39c40e3490db9111
    Size: 894.32 kB