diff --git a/backport-CVE-2025-49176.patch b/backport-CVE-2025-49176.patch new file mode 100644 index 0000000000000000000000000000000000000000..b2fb167cdbbd995e2da9441e4b7492c44468d71a --- /dev/null +++ b/backport-CVE-2025-49176.patch @@ -0,0 +1,75 @@ +From 43b1b77f7fc9262bacba52b54199db3bce4b9c79 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 21 Jul 2025 21:36:51 +0800 +Subject: [PATCH] fix CVE-2025-49176 + +os: Do not overflow the integer size with BigRequest + + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: default avatarOlivier Fourdan +Reviewed-by: default avatarMichel Dänzer +Part-of: + +--- + dix/dispatch.c | 2 +- + os/io.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 516881a..7e0bd24 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -488,7 +488,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index d79cfd9..d1096d9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index e758ec023ef4b7be32501a1c4008ca598ed17010..69121cf9155f6daff082a68bdc64d423de521775 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 39 +Release: 40 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -140,6 +140,7 @@ Patch6055: backport-CVE-2025-26600.patch Patch6056: backport-CVE-2025-26601.patch Patch6057: backport-CVE-2025-49178.patch Patch6058: backport-CVE-2025-49175.patch +Patch6059: backport-CVE-2025-49176.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -481,13 +482,16 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Mon Jul 21 2025 wangqingzheng - 1.20.11-40 +- Fix CVE-2025-49176 + * Sat Jul 05 2025 wangqingzheng - 1.20.11-39 - add backport-xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch * Thu Jul 03 2025 wangqingzheng - 1.20.11-38 - Fix CVE-2025-49175 -* Web Jul 02 2025 wangqingzheng - 1.20.11-37 +* Wed Jul 02 2025 wangqingzheng - 1.20.11-37 - Fix CVE-2025-49178 * Tue Apr 22 2025 Funda Wang - 1.20.11-36