We want to upgrade our Xorg-server and friends in preparation for the upcoming sync with upstream TigerVNC.
There has only been one release since our previous xorg-server upgrade, which is version 21.1.15 [1]. The release only has minor bugfixes. [1] https://lists.x.org/archives/xorg-announce/2024-December/003576.html
Tested server build 3893 on RHEL 9, which included the xorg-server upgrade. Did some simple testing (glxgears/xterm, firefox), as well as mouse/keyboard and clipboard testing. Everything seemed to work as expected.
The following libs have had newer versions released since last time we upgraded the xorg-server: > libICE 1.1.1 -> 1.1.2 https://lists.x.org/archives/xorg-announce/2024-December/003568.html > libSM 1.2.4 -> 1.2.5 https://lists.x.org/archives/xorg-announce/2024-December/003569.html > libX11 1.8.9 -> 1.8.11 https://lists.x.org/archives/xorg-announce/2025-February/003582.html > libXau 1.0.11 -> 1.0.12 https://lists.x.org/archives/xorg-announce/2024-December/003570.html > libXcursor 1.2.2 -> 1.2.3 https://lists.x.org/archives/xorg-announce/2024-November/003549.html > libXfont2 2.0.6 -> 2.0.7 https://lists.x.org/archives/xorg-announce/2024-August/003523.html > libXi 1.8.1 -> 1.8.2 https://lists.x.org/archives/xorg-announce/2024-September/003530.html > libXrender 0.9.11 -> 0.9.12 https://lists.x.org/archives/xorg-announce/2024-December/003567.html > libXtst 1.2.4 -> 1.2.5 https://lists.x.org/archives/xorg-announce/2024-August/003525.html > libXxf86vm 1.1.5 -> 1.1.6 https://lists.x.org/archives/xorg-announce/2024-December/003574.html > libdrm 2.4.100 -> 2.4.124 https://lists.x.org/archives/xorg-announce/2024-December/003562.html > libxcvt 0.1.2 -> 0.1.3 https://lists.x.org/archives/xorg-announce/2024-December/003571.html > libxshmfence 1.3.2 -> 1.3.3 https://lists.x.org/archives/xorg-announce/2024-December/003572.html > util-macros 1.20.1 -> 1.20.2 https://lists.x.org/archives/xorg-announce/2024-November/003556.html > xtrans 1.5.0 -> 1.5.2 https://lists.x.org/archives/xorg-announce/2024-November/003554.html
Overall, there doesn't seem to be much that is noteworthy in the release announcements in comment 6. The changes mostly consist of general bug fixes. There are, however, a couple of things that we may need to take a look at: * libXau added the meson build system [1]. It still uses autotools, so for now there is no need to actually change anything in our spec-files. Note that meson builds do not generate la-files, which means that we would also need to rebuild other packages that reference la-file(s) generated by libXau. * util-macros changed the behavior of the XORG_CHECK_MALLOC_ZERO [2], but I am not sure to what extent this could affect our builds. * libXfont2 now has the configure option "--enable-year2038", autogenerated by autoconf >= 2.72, and currently untested [3]. * libxshmfence allows disabling memfd usage at runtime with XSHMFENCE_NO_MEMFD [4]. I am not sure to what extent this could affect us. [1] https://lists.x.org/archives/xorg-announce/2024-December/003570.html [2] https://lists.x.org/archives/xorg-announce/2024-November/003556.html [3] https://lists.x.org/archives/xorg-announce/2024-August/003523.html [4] https://lists.x.org/archives/xorg-announce/2024-December/003572.html
Regarding libXau and meson in comment 7. Let's just take this as a heads-up that we may want to build with meson instead of autotools in the future.
Regarding libXfont2 and "--enable-year2038" in comment 7. While working on bug 8402, we encountered this issue. See bug 8402 comment 6 - bug 8402 comment 8. There we concluded that this was something we don't want to enable since we are a bit behind in terms of version of glibc. Hence, we will not enable the feature when building libXfont2 either.
Regarding libxshmfence and XSHMFENCE_NO_MEMFD, this change allows disabling the usage of memfd, which results in a fallback behavior to usage of /dev/shm [1] which also is a shared memory mechanism in Unix like OSes. This change was introduced as a part of making running games possible on M1 devices [2]. Hence, it should be OK, since it only toggles between two already known methods for handling shared memory. I am not sure if we need to investigate this a bit further. [1] https://gitlab.freedesktop.org/xorg/lib/libxshmfence/-/merge_requests/9 [2] https://asahilinux.org/2024/10/aaa-gaming-on-asahi-linux/
Regarding util-macros and XORG_CHECK_MALLOC_ZERO, this is a configure.ac-macro which checks if the malloc, present at time of running configure, returns NULL or not when provided a size of zero. We aren't using this macro in the ThinLinc source, and otherwise we will have to assume that it is used properly in e.g. the libs we build for cenbuild.
Xorg-server and libs have been upgraded to their latest versions. Note that we did not upgrade mesa. We could look at upgrading mesa to version 22.2.5. This is the latest version we can upgrade to before getting a rust compiler in cenbuild. > MUST: > * Xorg-server must be upgraded to the > latest stable version Upgraded to 21.1.15 > SHOULD: > * X libraries must be upgraded to their > latest stable version All libs but mesa have been upgraded.
Upgrade of xorg-server looks good. We are indeed using the latest version. I compared the diff we have compared to upstream and didn't see any changes before or after the update. Libraries seem to all have been updated. Commits look good. Could not see any issues running applications in the session, or with the client on X11 (client will get more testing as part of the TigerVNC and FLTK upgrades). > MUST: > * Xorg-server must be upgraded to the > latest stable version Yup. > SHOULD: > * X libraries must be upgraded to their > latest stable version Yup. With the exception of the already mentioned mesa.
A new release is out with a bunch of CVE:s. Let's upgrade to that.
Published CVEs: CVE-2025-26594: Use-after-free of the root cursor CVE-2025-26595: Buffer overflow in XkbVModMaskText() CVE-2025-26596: Heap overflow in XkbWriteKeySyms() CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey() CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() CVE-2025-26600: Use-after-free in PlayReleasedEvents() CVE-2025-26601: Use-after-free in SyncInitTrigger() Like most of the earlier CVEs, this could lead to executing malicious code. But also like earlier CVEs, the security implications for ThinLinc are minimal as Xvnc doesn't run with any increased privileges, and only applications run as the user can theoretically exploit these issues.
Seems to work well. The changes touched keyboard and mouse input, composite, and the sync extension. All but the last one are easily used just by running a normal desktop. The sync extension is mostly used for accelerated OpenGL, so it's not normally used in ThinLinc. We'll have to trust upstream on that one.
Tested server build 3944 on RHEL 9. Did some simple tests (glxgears/xterm, firefox), as well as mouse/keyboard and clipboard testing. Everything seemed to work as expected. > MUST: > * Xorg-server must be upgraded to the > latest stable version Indeed, we have the latest version. > SHOULD: > * X libraries must be upgraded to their > latest stable version Some X libraries got new releases just yesterday, but the changes did not seem significant.
