From 7954560698b77bc4326041993aa394240a7697f6 Mon Sep 17 00:00:00 2001
From: John Kehayias <john.kehayias@protonmail.com>
Date: Fri, 12 Sep 2025 00:16:06 -0400
Subject: [PATCH] gnu: xorg-server: Update to 21.1.18 [security-fixes].

A previous version, 21.1.16, fixed the following CVEs:

CVE-2025-26594: Use-after-free of the root cursor
CVE-2025-26595: Buffer overflow in XkbVModMaskText()
CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
CVE-2025-26600: Use-after-free in PlayReleasedEvents()
CVE-2025-26601: Use-after-free in SyncInitTrigger()

See <https://lists.x.org/archives/xorg-announce/2025-February/003584.html> for
more information.

* gnu/packages/xorg.scm (xorg-server): Update to 21.1.18.
(xorg-server-for-tests): Remain at 21.1.15.

Change-Id: I9160f0d55b103b806fdaee0786c4a63a2443cd24
Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>
---
 gnu/packages/xorg.scm | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index e7c6b61e0652a15cb6b677fd4cdade41ce07279f..bd488ba160a7a18a9f1aff6eea98d7e699f535de 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -5248,7 +5248,7 @@ by the Xorg server.")
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "21.1.15")
+    (version "21.1.18")
     (source
      (origin
        (method url-fetch)
@@ -5256,7 +5256,7 @@ by the Xorg server.")
                            "/xserver/xorg-server-" version ".tar.xz"))
        (sha256
         (base32
-         "12g0g9ksswzx1kgn23gvrpa570fnpkdkmw1dfqjjg4422a884744"))
+         "0lk3268gzpll547zvaa64rdhs4z89d7w567lbd55swl71n9x2y68"))
        (patches
         (list
          ;; See:
@@ -5374,7 +5374,16 @@ draggable titlebars and borders.")
 (define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server))))
+     (inherit xorg-server)
+     (version "21.1.15")
+     (source
+      (origin
+        (inherit (package-source xorg-server))
+        (uri (string-append "https://xorg.freedesktop.org/archive/individual"
+                            "/xserver/xorg-server-" version ".tar.xz"))
+        (sha256
+         (base32
+          "12g0g9ksswzx1kgn23gvrpa570fnpkdkmw1dfqjjg4422a884744")))))))
 
 ;;; XXX: Not really at home, but unless we break the inheritance between
 ;;; tigervnc-server and xorg-server, it must live here to avoid cyclic module
@@ -7142,9 +7151,8 @@ the server and cleaning up before returning the exit status of the command.")
     (license (list license:x11          ; the script
                    license:gpl2+))))    ; the man page
 
-;; This package is intended to be used when building qtbase.
-;; Note: It's currently marked as "hidden" to avoid having two non-eq?
-;; packages with the same name and version.
+;; This package is intended to be used when building qtbase, like
+;; xorg-server-for-tests.
 (define-public xvfb-run-for-tests
   (hidden-package
    (package