Stefan Dirsch
2c7b8ef9b5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
U_CVE-2025-49180-xfree86-Check-for-RandR-provider-functions.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=913
46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
From 247f1622fa8d48783b4ed5d5154791c171f00e18 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 10:46:03 +0200
|
|
Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input
|
|
buffer
|
|
|
|
When reading requests from the clients, the input buffer might be shared
|
|
and used between different clients.
|
|
|
|
If a given client sends a full request with non-zero bytes to ignore,
|
|
the bytes to ignore may still be non-zero even though the request is
|
|
full, in which case the buffer could be shared with another client who's
|
|
request will not be processed because of those bytes to ignore, leading
|
|
to a possible hang of the other client request.
|
|
|
|
To avoid the issue, make sure we have zero bytes to ignore left in the
|
|
input request when sharing the input buffer with another client.
|
|
|
|
CVE-2025-49178
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
os/io.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/os/io.c b/os/io.c
|
|
index 0a26c988e..31c85cf34 100644
|
|
--- a/os/io.c
|
|
+++ b/os/io.c
|
|
@@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client)
|
|
*/
|
|
|
|
gotnow -= needed;
|
|
- if (!gotnow)
|
|
+ if (!gotnow && !oci->ignoreBytes)
|
|
AvailableInput = oc;
|
|
if (move_header) {
|
|
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
|
--
|
|
2.49.0
|
|
|