diff --git a/0006-fix-CVE-2025-49176.patch b/0006-fix-CVE-2025-49176.patch new file mode 100644 index 0000000000000000000000000000000000000000..72fa2dab818a0bf412ef6e76ead119e267b08416 --- /dev/null +++ b/0006-fix-CVE-2025-49176.patch @@ -0,0 +1,89 @@ +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +Part-of: + +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index eaac39b..e37b3d0 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -513,9 +513,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -536,7 +537,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 841a0ee..aeece86 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.43.0 + diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec index fcad9e7425442d73f269cba7dfad343c4b804030..3ecbe40ecb077f81d8977149388f988857a663b8 100644 --- a/xorg-x11-server-xwayland.spec +++ b/xorg-x11-server-xwayland.spec @@ -4,7 +4,7 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 23.2.4 -Release: 5 +Release: 6 License: MIT URL: http://www.x.org Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz @@ -14,6 +14,7 @@ Patch2: 0002-fix-CVE-2024-31081.patch Patch3: 0003-fix-CVE-2024-31083.patch Patch4: 0004-fix-CVE-2023-6377.patch Patch5: 0005-fix-CVE-2025-49175.patch +Patch6: 0006-fix-CVE-2025-49176.patch Requires: xorg-x11-server-common Requires: libEGL @@ -115,6 +116,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb %{_libdir}/pkgconfig/xwayland.pc %changelog +* Thu Oct 30 2025 Deyuan Fan - 23.2.4-6 +- fix CVE-2025-49176 + * Tue Sep 23 2025 Deyuan Fan - 23.2.4-5 - fix CVE-2025-49175