~ruther/guix-local: gnu: xorg-server: Update to 21.1.18 [security-fixes].

7954560698b77bc4326041993aa394240a7697f6 — John Kehayias 6 months ago 5dfb1d0

gnu: xorg-server: Update to 21.1.18 [security-fixes].

A previous version, 21.1.16, fixed the following CVEs:

CVE-2025-26594: Use-after-free of the root cursor
CVE-2025-26595: Buffer overflow in XkbVModMaskText()
CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
CVE-2025-26600: Use-after-free in PlayReleasedEvents()
CVE-2025-26601: Use-after-free in SyncInitTrigger()

See <https://lists.x.org/archives/xorg-announce/2025-February/003584.html> for
more information.

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.18.
(xorg-server-for-tests): Remain at 21.1.15.

Change-Id: I9160f0d55b103b806fdaee0786c4a63a2443cd24
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>

patch browse .tar.gz

1 files changed, 14 insertions(+), 6 deletions(-)

M gnu/packages/xorg.scm

M gnu/packages/xorg.scm => gnu/packages/xorg.scm +14 -6

@@ 5248,7 5248,7 @@ by the Xorg server.")
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.15")
+    (version "21.1.18")
     (source
      (origin
        (method url-fetch)


@@ 5256,7 5256,7 @@ by the Xorg server.")
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "12g0g9ksswzx1kgn23gvrpa570fnpkdkmw1dfqjjg4422a884744"))
+         "0lk3268gzpll547zvaa64rdhs4z89d7w567lbd55swl71n9x2y68"))
        (patches
         (list
          ;; See:


@@ 5374,7 5374,16 @@ draggable titlebars and borders.")
 (define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server))))
+     (inherit xorg-server)
+     (version "21.1.15")
+     (source
+      (origin
+        (inherit (package-source xorg-server))
+        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
+                            "/xserver/xorg-server-" version ".tar.xz"))
+        (sha256
+         (base32
+          "12g0g9ksswzx1kgn23gvrpa570fnpkdkmw1dfqjjg4422a884744")))))))
 
 ;;; XXX: Not really at home, but unless we break the inheritance between
 ;;; tigervnc-server and xorg-server, it must live here to avoid cyclic module


@@ 7142,9 7151,8 @@ the server and cleaning up before returning the exit status of the command.")
     (license (list license:x11          ; the script
                    license:gpl2+))))    ; the man page
 
-;; This package is intended to be used when building qtbase.
-;; Note: It's currently marked as "hidden" to avoid having two non-eq?
-;; packages with the same name and version.
+;; This package is intended to be used when building qtbase, like
+;; xorg-server-for-tests.
 (define-public xvfb-run-for-tests
   (hidden-package
    (package