48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From eb1c0386535c5a6451cbf21ca351087ebfafb025 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 10:05:36 +0200
|
|
Subject: [PATCH xserver] xfixes: Check request length for
|
|
SetClientDisconnectMode
|
|
|
|
The handler of XFixesSetClientDisconnectMode does not check the client
|
|
request length.
|
|
|
|
A client could send a shorter request and read data from a former
|
|
request.
|
|
|
|
Fix the issue by checking the request size matches.
|
|
|
|
CVE-2025-49177
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
xfixes/disconnect.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
Index: xorg-server-21.1.15/xfixes/disconnect.c
|
|
===================================================================
|
|
--- xorg-server-21.1.15.orig/xfixes/disconnect.c
|
|
+++ xorg-server-21.1.15/xfixes/disconnect.c
|
|
@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(Client
|
|
ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
|
|
|
|
REQUEST(xXFixesSetClientDisconnectModeReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
|
|
|
|
pDisconnect->disconnect_mode = stuff->disconnect_mode;
|
|
|
|
@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(Clien
|
|
|
|
swaps(&stuff->length);
|
|
|
|
- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
|
|
|
|
swapl(&stuff->disconnect_mode);
|
|
|