diff --git a/1004-fix-CVE-2025-49177.patch b/1004-fix-CVE-2025-49177.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b83c93ff18ef607de7894b7142d011450174b05 --- /dev/null +++ b/1004-fix-CVE-2025-49177.patch @@ -0,0 +1,33 @@ +From 8bbda7e11f328021a1209eafc6d2c7ad2cd77901 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:14:29 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49177 + +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 7793272..209e3d8 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.41.0 + diff --git a/1005-fix-CVE-2025-49178.patch b/1005-fix-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..37a88821f0f695a555c521a483058ae85d0ec45d --- /dev/null +++ b/1005-fix-CVE-2025-49178.patch @@ -0,0 +1,25 @@ +From b292b85c7b984c131eac1af456b9e0b0fa6b1686 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:20:12 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49178 + +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 5b7fac3..19d5210 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.41.0 + diff --git a/1006-fix-CVE-2025-49179.patch b/1006-fix-CVE-2025-49179.patch new file mode 100644 index 0000000000000000000000000000000000000000..18d333767222434a1c5391419b4a2916c48812d1 --- /dev/null +++ b/1006-fix-CVE-2025-49179.patch @@ -0,0 +1,38 @@ +From 766f80dc789c38e4e4f1392d4c5ed50a08447a07 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:33:40 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49179 + +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..7a9e907 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "os/osdep.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.41.0 + diff --git a/1007-fix-CVE-2025-49180.patch b/1007-fix-CVE-2025-49180.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a48afb60354e514de6cb500e0e26de8917c1dc5 --- /dev/null +++ b/1007-fix-CVE-2025-49180.patch @@ -0,0 +1,51 @@ +From 43ad12fa09dd7830797dca93b9156af964bc49cd Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:37:35 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49180 + +--- + hw/xfree86/modes/xf86RandR12.c | 6 ++++-- + randr/rrproviderproperty.c | 3 +++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c +index 39a38c7..8f97e79 100644 +--- a/hw/xfree86/modes/xf86RandR12.c ++++ b/hw/xfree86/modes/xf86RandR12.c +@@ -2142,7 +2142,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen, + /* If we don't have any property handler, then we don't care what the + * user is setting properties to. + */ +- if (config->provider_funcs->set_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->set_property == NULL) + return TRUE; + + /* +@@ -2160,7 +2161,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen, + ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); + xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); + +- if (config->provider_funcs->get_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->get_property == NULL) + return TRUE; + + /* Should be safe even w/o vtSema */ +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..44cb5c7 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -180,6 +180,9 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; + ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; ++ + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.41.0 + diff --git a/tigervnc.spec b/tigervnc.spec index 230302e25b091e890a740b0b2bb378d70540d184..afe2678c81e62611c2ef2aab03c3245b5b782574 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 #defining macros needed by SELinux %global selinuxtype targeted %global modulename vncsession @@ -33,6 +33,16 @@ Patch101: 101-bugfix-for-CVE-2024-21885.patch Patch102: 102-bugfix-for-CVE-2025-49176.patch Patch103: 103-bugfix-for-CVE-2025-49176.patch +# https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af +Patch104: 1004-fix-CVE-2025-49177.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2Fd55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 +Patch105: 1005-fix-CVE-2025-49178.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 +Patch106: 1006-fix-CVE-2025-49179.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F3c3a4b767b16174d3213055947ea7f4f88e10ec6 +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F0235121c6a7a6eb247e2addb3b41ed6ef566853d +Patch107: 1007-fix-CVE-2025-49180.patch + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: automake, autoconf, libtool, gettext, gettext-autopoint @@ -166,6 +176,10 @@ done %patch101 -p1 -b .101-bugfix-for-CVE-2024-21885 %patch102 -p1 -b .102-bugfix-for-CVE-2025-49176 %patch103 -p1 -b .103-bugfix-for-CVE-2025-49176 +%patch104 -p1 -b .1004-fix-CVE-2025-49177 +%patch105 -p1 -b .1005-fix-CVE-2025-49178 +%patch106 -p1 -b .1006-fix-CVE-2025-49179 +%patch107 -p1 -b .1007-fix-CVE-2025-49180 popd # Downstream patches @@ -337,6 +351,9 @@ fi %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Thu Aug 07 2025 mgb01105731 - 1.13.1-5 +- Add patch to fix CVE-2025-49177,CVE-2025-49178,CVE-2025-49179,CVE-2025-49180 + * Wed Jul 23 2025 tomcruiseqi - 1.13.1-4 - Fix CVE-2025-49176