Hi,

The following vulnerabilities were published for x11-xkb-utils
(specifically in xkbcomp).

CVE-2018-15853[0]:
| Endless recursion exists in xkbcomp/expr.c in xkbcommon and
| libxkbcommon before 0.8.1, which could be used by local attackers to
| crash xkbcommon users by supplying a crafted keymap file that
| triggers boolean negation.


CVE-2018-15859[1]:
| Unchecked NULL pointer usage when parsing invalid atoms in
| ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be
| used by local attackers to crash (NULL pointer dereference) the
| xkbcommon parser by supplying a crafted keymap file, because lookup
| failures are mishandled.


CVE-2018-15861[2]:
| Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in
| xkbcommon before 0.8.2 could be used by local attackers to crash
| (NULL pointer dereference) the xkbcommon parser by supplying a
| crafted keymap file that triggers an xkb_intern_atom failure.


CVE-2018-15863[3]:
| Unchecked NULL pointer usage in ResolveStateAndPredicate in
| xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local
| attackers to crash (NULL pointer dereference) the xkbcommon parser
| by supplying a crafted keymap file with a no-op modmask expression.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15853
https://www.cve.org/CVERecord?id=CVE-2018-15853
[1] https://security-tracker.debian.org/tracker/CVE-2018-15859
https://www.cve.org/CVERecord?id=CVE-2018-15859
[2] https://security-tracker.debian.org/tracker/CVE-2018-15861
https://www.cve.org/CVERecord?id=CVE-2018-15861
[3] https://security-tracker.debian.org/tracker/CVE-2018-15863
https://www.cve.org/CVERecord?id=CVE-2018-15863
[4] https://www.openwall.com/lists/oss-security/2025/12/03/1

Regards,
Salvatore