diff --git a/0014-fix-CVE-2025-49176.patch b/0014-fix-CVE-2025-49176.patch new file mode 100644 index 0000000000000000000000000000000000000000..6781937ea890ccdd98043bd9f843562b4c6637ec --- /dev/null +++ b/0014-fix-CVE-2025-49176.patch @@ -0,0 +1,91 @@ +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +Part-of: + + +--- + dix/dispatch.c | 10 ++++++---- + os/io.c | 4 ++++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..51309e3 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -518,9 +518,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -541,7 +542,8 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 5b7fac3..5fc0582 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.43.0 + diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec index b259ca00206477998055569aeac203ba9517cb6e..cc4eb914f1ba4343cbf9746274284293feabddf4 100644 --- a/xorg-x11-server-xwayland.spec +++ b/xorg-x11-server-xwayland.spec @@ -4,7 +4,7 @@ Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 22.1.2 -Release: 7 +Release: 8 License: MIT URL: http://www.x.org Source0: https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz @@ -22,6 +22,7 @@ Patch10: 0010-fix-CVE-2024-0229-3.patch Patch11: 0011-fix-CVE-2024-31083.patch Patch12: 0012-fix-CVE-2022-2320.patch Patch13: 0013-fix-CVE-2025-49175.patch +Patch14: 0014-fix-CVE-2025-49176.patch Requires: xorg-x11-server-common Requires: libEGL @@ -122,6 +123,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb %{_libdir}/pkgconfig/xwayland.pc %changelog +* Thu Oct 30 2025 Deyuan Fan - 22.1.2-8 +- fix CVE-2025-49176 + * Tue Sep 23 2025 Deyuan Fan - 22.1.2-7 - fix CVE-2025-49175