diff --git a/backport-CVE-2025-49178.patch b/backport-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..61ed360c429de12640cf780733e31b6b75193061 --- /dev/null +++ b/backport-CVE-2025-49178.patch @@ -0,0 +1,48 @@ +From e124660847cd7dcdfd295e81730dfe5e66b526eb Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Aug 2025 18:34:39 +0800 +Subject: [PATCH] fix CVE-2025-49178 +os: Account for bytes to ignore when sharing input buffer + + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: default avatarOlivier Fourdan +Reviewed-by: default avatarPeter Hutterer +Part-of: + +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 939f517..d79cfd9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.33.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c55baea2dcbd7981101a7bc7b745b93123c8aae2..dd518f91ff3933648ec4f1e2cf8ca8dd33b14ed6 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.11 -Release: 39 +Release: 40 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -141,6 +141,7 @@ Patch6054: backport-CVE-2025-26599.patch Patch6055: backport-CVE-2025-26600.patch Patch6056: backport-CVE-2025-26601.patch Patch6057: backport-CVE-2025-49175.patch +Patch6058: backport-CVE-2025-49178.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex git gcc BuildRequires: systemtap-sdt-devel libtool pkgconfig @@ -482,6 +483,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_mandir}/man*/* %changelog +* Wed Aug 06 2025 wangqingzheng - 1.20.11-40 +- Fix CVE-2025-49178 + * Fri Jul 25 2025 wangqingzheng - 1.20.11-39 - Fix CVE-2025-49175