[<prev] [day] [month] [year] [list]
Message-ID: <20251203042432.GA2645052@quokka>
Date: Wed, 3 Dec 2025 14:24:32 +1000
From: Peter Hutterer <peter.hutterer@...-t.net>
To: oss-security@...ts.openwall.com
Subject: FW: X.Org Security Advisory: multiple security issues in xkbcomp
======================================================================
X.Org Security Advisory: Wed 3, 2025
Issues in xkbcomp prior to version 1.5.0
======================================================================
Multiple issues have been found in xkbcomp that have been previously
been published as CVEs in libxbkcommon. libxkbcommon is (to some degree)
a fork of xkbcomp and some of the code base is identical. These CVEs
were published earlier as:
- CVE-2018-15853: Endless recursion in xkbcomp/expr.c resulting in a crash
https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/commit/da8367645
- CVE-2018-15859: NULL pointer dereference when parsing invalid atoms in ExprResolveLhs resulting in a crash
https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/commit/895e080b2
- CVE-2018-15861: NULL pointer dereference in ExprResolveLhs resulting in a crash
https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/commit/c34263540
- CVE-2018-15863: NULL pointer dereference in ResolveStateAndPredicate resulting in a crash
https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/commit/fa10dbc2c
These four issues also affect xkbcomp. As the issues have been
effectively public for a while, there is no embargo. xkbcomp 1.5.0 is
available now and contains these fixes.
Many thanks to Pierre Le Marre for finding these issues in xkbcomp.
Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
