From ea44680e9b0a695dadc2cdfc84bcfb0056833f76 Mon Sep 17 00:00:00 2001 From: qz_cx Date: Fri, 25 Jul 2025 14:50:39 +0800 Subject: [PATCH] fix CVE-2025-49175 --- backport-CVE-2025-49175.patch | 87 +++++++++++++++++++++++++++++++++++ xorg-x11-server.spec | 6 ++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-49175.patch diff --git a/backport-CVE-2025-49175.patch b/backport-CVE-2025-49175.patch new file mode 100644 index 0000000..d695e60 --- /dev/null +++ b/backport-CVE-2025-49175.patch @@ -0,0 +1,87 @@ +From 0b9a2930ca4bb121030c2e9aa31f3d1dcf9dde16 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 25 Jul 2025 21:10:48 +0800 +Subject: [PATCH] fix CVE-2025-49175 + +render: Avoid 0 or less animated cursors + + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: default avatarOlivier Fourdan +Reviewed-by: default avatarJosé Expósito +Part-of: + +--- + render/animcur.c | 2 ++ + render/render.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..590f8a4 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,8 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 287adc2..c55baea 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 38 +Release: 39 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -140,6 +140,7 @@ Patch6053: backport-CVE-2025-26598.patch Patch6054: backport-CVE-2025-26599.patch Patch6055: backport-CVE-2025-26600.patch Patch6056: backport-CVE-2025-26601.patch +Patch6057: backport-CVE-2025-49175.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -481,6 +482,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Fri Jul 25 2025 wangqingzheng - 1.20.11-39 +- Fix CVE-2025-49175 + * Tue Apr 22 2025 Funda Wang - 1.20.11-38 - add missing patches regarding CVE-2025-26594, CVE-2025-26599, CVE-2025-26601 -- Gitee