<div class="container">
<h1>Security update for dri3proto, presentproto, wayland-protocols, xwayland</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:2776-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219892">bsc#1219892</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222309">bsc#1222309</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222310">bsc#1222310</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222312">bsc#1222312</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222442">bsc#1222442</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-9498">jsc#PED-9498</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-31080.html">CVE-2024-31080</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-31081.html">CVE-2024-31081</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-31083.html">CVE-2024-31083</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-31080</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-31081</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-31083</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP5</li>
<li class="list-group-item">Development Tools Module 15-SP6</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Workstation Extension 15 SP6</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities, contains one feature and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for dri3proto, presentproto, wayland-protocols, xwayland fixes the following issues:</p>
<p>Changes in presentproto:</p>
<ul>
<li>update to version 1.4 (patch generated from xorgproto-2024.1 sources)</li>
</ul>
<p>Changes in wayland-protocols:</p>
<ul>
<li>
<p>Update to version 1.36:</p>
</li>
<li>
<p>xdg-dialog: fix missing namespace in protocol name</p>
</li>
<li>
<p>Changes from version 1.35:</p>
</li>
<li>
<p>cursor-shape-v1: Does not advertises the list of supported cursors</p>
</li>
<li>xdg-shell: add missing enum attribute to set_constraint_adjustment</li>
<li>xdg-shell: recommend against drawing decorations when tiled</li>
<li>tablet-v2: mark as stable</li>
<li>
<p>staging: add alpha-modifier protocol</p>
</li>
<li>
<p>Update to 1.36</p>
</li>
<li>
<p>Fix to the xdg dialog protocol</p>
</li>
<li>tablet-v2 protocol is now stable</li>
<li>alpha-modifier: new protocol</li>
<li>Bug fix to the cursor shape documentation</li>
<li>
<p>The xdg-shell protocol now also explicitly recommends against
drawing decorations outside of the window geometry when tiled</p>
</li>
<li>
<p>Update to 1.34:</p>
</li>
<li>
<p>xdg-dialog: new protocol</p>
</li>
<li>xdg-toplevel-drag: new protocol</li>
<li>Fix typo in ext-foreign-toplevel-list-v1</li>
<li>tablet-v2: clarify that name/id events are optional</li>
<li>linux-drm-syncobj-v1: new protocol</li>
<li>
<p>linux-explicit-synchronization-v1: add linux-drm-syncobj note</p>
</li>
<li>
<p>Update to version 1.33:</p>
</li>
<li>
<p>xdg-shell: Clarify what a toplevel by default includes</p>
</li>
<li>linux-dmabuf: sync changes from unstable to stable</li>
<li>linux-dmabuf: require all planes to use the same modifier</li>
<li>presentation-time: stop referring to Linux/glibc</li>
<li>security-context-v1: Make sandbox engine names use reverse-DNS</li>
<li>xdg-decoration: remove ambiguous wording in configure event</li>
<li>xdg-decoration: fix configure event summary</li>
<li>linux-dmabuf: mark as stable</li>
<li>linux-dmabuf: add note about implicit sync</li>
<li>security-context-v1: Document what can be done with the open
sockets</li>
<li>security-context-v1: Document out of band metadata for flatpak</li>
</ul>
<p>Changes in dri3proto:</p>
<ul>
<li>update to version 1.4 (patch generated from xorgproto-2024.1 sources)</li>
</ul>
<p>Changes in xwayland:</p>
<ul>
<li>
<p>Update to bugfix release 24.1.1 for the current stable 24.1
branch of Xwayland</p>
</li>
<li>
<p>xwayland: fix segment fault in <code>xwl_glamor_gbm_init_main_dev</code></p>
</li>
<li>os: Explicitly include X11/Xmd.h for CARD32 definition to fix
building on i686</li>
<li>present: On *BSD, epoll-shim is needed to emulate eventfd()</li>
<li>xwayland: Stop on first unmapped child</li>
<li>xwayland/window-buffers: Promote xwl_window_buffer</li>
<li>xwayland/window-buffers: Add xwl_window_buffer_release()</li>
<li>xwayland/glamor/gbm: Copy explicit sync code to GLAMOR/GBM</li>
<li>xwayland/window-buffers: Use synchronization from GLAMOR/GBM</li>
<li>xwayland/window-buffers: Do not always set syncpnts</li>
<li>xwayland/window-buffers: Move code to submit pixmaps</li>
<li>xwayland/window-buffers: Set syncpnts for all pixmaps</li>
<li>xwayland: Move xwl_window disposal to its own function</li>
<li>xwayland: Make sure we do not leak xwl_window on destroy</li>
<li>wayland/window-buffers: Move buffer disposal to its own function</li>
<li>xwayland/window-buffers: optionally force disposal</li>
<li>wayland: Force disposal of windows buffers for root on destroy</li>
<li>xwayland: Check for pointer in xwl_seat_leave_ptr()</li>
<li>
<p>xwayland: remove includedir from pkgconfig</p>
</li>
<li>
<p>disable DPMS on sle15 due to missing proto package</p>
</li>
<li>
<p>Update to feature release 24.1.0</p>
</li>
<li>This fixes a couple of regressions introduced in the previous release
candidate versions along with a fix for XTEST emulation with EI.<ul>
<li>xwayland: Send ei_device_frame on device_scroll_discrete</li>
<li>xwayland: Restore the ResizeWindow handler</li>
<li>xwayland: Handle rootful resize in ResizeWindow</li>
<li>xwayland: Move XRandR emulation to the ResizeWindow hook</li>
<li>xwayland: Use correct xwl_window lookup function in xwl_set_shape</li>
</ul>
</li>
<li>
<p>eglstreams has been dropped</p>
</li>
<li>
<p>Update to bug fix relesae 23.2.7</p>
</li>
<li>m4: drop autoconf leftovers</li>
<li>xwayland: Send ei_device_frame on device_scroll_discrete</li>
<li>xwayland: Call drmFreeDevice for dma-buf default feedback</li>
<li>xwayland: Use drmDevicesEqual in xwl_dmabuf_feedback_tranche_done</li>
<li>dri3: Free formats in cache_formats_and_modifiers</li>
<li>xwayland/glamor: Handle depth 15 in gbm_format_for_depth</li>
<li>Revert "xwayland/glamor: Avoid implicit redirection with depth 32 parent windows"</li>
<li>xwayland: Check for outputs before lease devices</li>
<li>
<p>xwayland: Do not remove output on withdraw if leased</p>
</li>
<li>
<p>Update to 23.2.6</p>
</li>
<li>
<p>This is a quick bug fix release to address a regression
introduced by the fix for CVE-2024-31083 in xwayland-23.2.5.</p>
</li>
<li>
<p>Security update 23.2.5 </p>
</li>
</ul>
<p>This release contains the 3 security fixes that actually apply to
Xwayland reported in the security advisory of April 3rd 2024</p>
<ul>
<li>CVE-2024-31080</li>
<li>CVE-2024-31081</li>
<li>CVE-2024-31083</li>
</ul>
<p>Additionally, it also contains a couple of other fixes, a copy/paste
error in the DeviceStateNotify event and a fix to enable buttons with
pointer gestures for backward compatibility with legacy X11 clients.</p>
<ul>
<li>Don't provide xorg-x11-server-source</li>
<li>xwayland sources are not meant for a generic server.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch SUSE-2024-2776=1 openSUSE-SLE-15.6-2024-2776=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-2776=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2776=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2776=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-2776=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Workstation Extension 15 SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2024-2776=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>xwayland-devel-24.1.1-150600.5.3.1</li>
<li>xwayland-debuginfo-24.1.1-150600.5.3.1</li>
<li>xwayland-debugsource-24.1.1-150600.5.3.1</li>
<li>xwayland-24.1.1-150600.5.3.1</li>
<li>presentproto-devel-1.3-150600.3.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>wayland-protocols-devel-1.36-150600.4.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dri3proto-devel-1.2-150100.6.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dri3proto-devel-1.2-150100.6.3.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dri3proto-devel-1.2-150100.6.3.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>dri3proto-devel-1.2-150100.6.3.1</li>
<li>presentproto-devel-1.3-150600.3.3.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP6 (noarch)
<ul>
<li>wayland-protocols-devel-1.36-150600.4.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
<ul>
<li>xwayland-debugsource-24.1.1-150600.5.3.1</li>
<li>xwayland-24.1.1-150600.5.3.1</li>
<li>xwayland-debuginfo-24.1.1-150600.5.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-31080.html">https://www.suse.com/security/cve/CVE-2024-31080.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-31081.html">https://www.suse.com/security/cve/CVE-2024-31081.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-31083.html">https://www.suse.com/security/cve/CVE-2024-31083.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219892">https://bugzilla.suse.com/show_bug.cgi?id=1219892</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222309">https://bugzilla.suse.com/show_bug.cgi?id=1222309</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222310">https://bugzilla.suse.com/show_bug.cgi?id=1222310</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222312">https://bugzilla.suse.com/show_bug.cgi?id=1222312</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222442">https://bugzilla.suse.com/show_bug.cgi?id=1222442</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-9498">https://jira.suse.com/browse/PED-9498</a>
</li>
</ul>
</div>