diff --git a/backport-CVE-2025-49179.patch b/backport-CVE-2025-49179.patch new file mode 100644 index 0000000000000000000000000000000000000000..5e6309046ecc2f4ad1e9eb4cea93e2eae9d14ca2 --- /dev/null +++ b/backport-CVE-2025-49179.patch @@ -0,0 +1,65 @@ +From 60300129fe905a990cba84d62ca0b3c3200e6319 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 19 Jun 2025 00:25:36 +0800 +Subject: [PATCH] backport-CVE-2025-49179.patch + +record: Check for overflow in RecordSanityCheckRegisterClients() + + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: default avatarOlivier Fourdan +Reviewed-by: default avatarPeter Hutterer +Part-of: + +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index a8aec23..670c1aa 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "os/osdep.h" + + #include + #include +@@ -1297,6 +1298,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + xRecordRange *pRange; + int i; + XID recordingClient; ++ ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; + + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 9fdb92ba2e018d1f6cfae3f584e975807288702e..5e9bfe63e10d53870636c0ef778179a3e9d4eb9b 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 38 +Release: 39 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -132,6 +132,7 @@ Patch6045: backport-0002-CVE-2023-5574.patch Patch6046: backport-0003-CVE-2023-5574.patch Patch6047: backport-CVE-2024-9632.patch Patch6048: backport-xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch +Patch6049: backport-CVE-2025-49179.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -470,6 +471,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Thu, 19 Jun 2025 wangqingzheng - 1.20.11-39 +- Fix CVE-2025-49179 + * Fri Mar 07 2025 mahailiang - 1.20.11-38 - fix sw_64 build error