see https://www.x.org/wiki/Development/Security/
Created attachment 264994 [details] Remove bugs subdir from test/meson.build test/meson.build references a non-existing bugs directory.
Created attachment 265154 [details] Patch to upgrade to 21.1.20 It appears that 21.1.19 was superseded within a few hours by 21.1.20. Here's a patch to do that update. I applied the other patch as well though I don't know if that was necessary. Anyway, the result builds and runs.
(In reply to George Mitchell from comment #2) > I applied the other patch as well though I don't know if that was necessary. No, that patch is obsolete with 21.1.20. That release fixes the meson build issue.
builds fine over here
Comment on attachment 265154 [details] Patch to upgrade to 21.1.20 maintainer timeout
I accidentally duplicated this over on Phab [1] spending my afternoon yesterday testing this without being aware this issue existed. I will note that the title of this issue is bad, and likely why I missed it. You have a patch for 21.1.20 within a issue which lists 21.1.19 in the title. It would have helped if the title had been changed to reflect the changes listed within the issue (that 21.1.19 is superseded by 21.1.20). In any case apologies for the duplicate. [1] reviews.freebsd.org/D53849
I see while drafting that comment the title has been updated. Thank you!
Vuxml report for CVEs: https://www.vuxml.org/freebsd/e99a32c8-b8e2-11f0-8510-b42e991fc52e.html CVE-2025-62229 - Use after free within xorg server CVE-2025-62230 - Use after free within xorg server keyboard extension CVE-2025-62231 - Overflow leading to memory corruption within xorg server keyboard extension
(In reply to Philip Jocks from comment #4) Build and works fine here (Intel integrated GPU).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=34de5acb0688621eca69ddf0e55f9a928525e199 commit 34de5acb0688621eca69ddf0e55f9a928525e199 Author: George Mitchell <george@m5p.com> AuthorDate: 2025-11-21 13:45:25 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2025-11-22 16:01:30 +0000 x11-servers/xorg-server: update to 21.1.20 This fixes open CVEs CVE-2025-62229, CVE-2025-62230, and CVE-2025-62231. Reported by: rob2g2-freebsd@bitbert.com PR: 290655 Security: e99a32c8-b8e2-11f0-8510-b42e991fc52e MFH: 2025Q4 Approved by: x11 (maintainer timeout) x11-servers/xorg-server/Makefile | 3 +-- x11-servers/xorg-server/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-)
A commit in branch 2025Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=487013c9bd6f2aee4168b27b680c427c8544e3aa commit 487013c9bd6f2aee4168b27b680c427c8544e3aa Author: George Mitchell <george@m5p.com> AuthorDate: 2025-11-21 13:45:25 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2025-11-22 16:04:53 +0000 x11-servers/xorg-server: update to 21.1.20 This fixes open CVEs CVE-2025-62229, CVE-2025-62230, and CVE-2025-62231. Reported by: rob2g2-freebsd@bitbert.com PR: 290655 Security: e99a32c8-b8e2-11f0-8510-b42e991fc52e MFH: 2025Q4 Approved by: x11 (maintainer timeout) (cherry picked from commit 34de5acb0688621eca69ddf0e55f9a928525e199) x11-servers/xorg-server/Makefile | 3 +-- x11-servers/xorg-server/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-)
Thank you for your report and contribution.
You're welcome, but you and rob2g2 did the hard part.