Stefan Dirsch
2c7b8ef9b5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
U_CVE-2025-49180-xfree86-Check-for-RandR-provider-functions.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=913
48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From eb1c0386535c5a6451cbf21ca351087ebfafb025 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 10:05:36 +0200
|
|
Subject: [PATCH xserver] xfixes: Check request length for
|
|
SetClientDisconnectMode
|
|
|
|
The handler of XFixesSetClientDisconnectMode does not check the client
|
|
request length.
|
|
|
|
A client could send a shorter request and read data from a former
|
|
request.
|
|
|
|
Fix the issue by checking the request size matches.
|
|
|
|
CVE-2025-49177
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
xfixes/disconnect.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
Index: xorg-server-21.1.15/xfixes/disconnect.c
|
|
===================================================================
|
|
--- xorg-server-21.1.15.orig/xfixes/disconnect.c
|
|
+++ xorg-server-21.1.15/xfixes/disconnect.c
|
|
@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(Client
|
|
ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
|
|
|
|
REQUEST(xXFixesSetClientDisconnectModeReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
|
|
|
|
pDisconnect->disconnect_mode = stuff->disconnect_mode;
|
|
|
|
@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(Clien
|
|
|
|
swaps(&stuff->length);
|
|
|
|
- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
|
|
|
|
swapl(&stuff->disconnect_mode);
|
|
|