diff --git a/backport-CVE-2025-49178.patch b/backport-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..22e3f2351a8676872cb8ecd11ca37dfb1a940012 --- /dev/null +++ b/backport-CVE-2025-49178.patch @@ -0,0 +1,47 @@ +From 88a2d6c51cf6f7def7e9ebadff6d24b3684ca91c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Aug 2025 21:39:23 +0800 +Subject: [PATCH] fix cve-2025-49178 +os: Account for bytes to ignore when sharing input buffer + + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: default avatarOlivier Fourdan +Reviewed-by: default avatarPeter Hutterer +Part-of: +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 939f517..d79cfd9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 425ea5c6faad9f39fec23fdd50b105077d719525..917e8e652529ca0afaccda8a42f34b824faa2dde 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 39 +Release: 40 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -133,6 +133,7 @@ Patch6046: backport-0003-CVE-2023-5574.patch Patch6047: backport-CVE-2024-9632.patch Patch6048: backport-xfree86-fbdevhw-fix-pci-detection-on-recent-Linux.patch Patch6049: backport-CVE-2025-49175.patch +Patch6050: backport-CVE-2025-49178.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -471,6 +472,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Wed Aug 06 2025 wangqingzheng - 1.20.11-40 +- Fix CVE-2025-49178 + * Thu Jun 19 2025 wangqingzheng - 1.20.11-39 - Fix CVE-2025-49175