Stefan Dirsch
2c7b8ef9b5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
U_CVE-2025-49180-xfree86-Check-for-RandR-provider-functions.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=913
45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From b6f38b47c3bb31a6e7af4aeae33434ab40a969b3 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 28 Apr 2025 14:59:46 +0200
|
|
Subject: [PATCH xserver 2/2] xfree86: Check for RandR provider functions
|
|
|
|
Changing XRandR provider properties if the driver has set no provider
|
|
function such as the modesetting driver will cause a NULL pointer
|
|
dereference and a crash of the Xorg server.
|
|
|
|
Related to CVE-2025-49180
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
hw/xfree86/modes/xf86RandR12.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
Index: xorg-server-21.1.15/hw/xfree86/modes/xf86RandR12.c
|
|
===================================================================
|
|
--- xorg-server-21.1.15.orig/hw/xfree86/modes/xf86RandR12.c
|
|
+++ xorg-server-21.1.15/hw/xfree86/modes/xf86RandR12.c
|
|
@@ -2145,7 +2145,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr
|
|
/* If we don't have any property handler, then we don't care what the
|
|
* user is setting properties to.
|
|
*/
|
|
- if (config->provider_funcs->set_property == NULL)
|
|
+ if (config->provider_funcs == NULL ||
|
|
+ config->provider_funcs->set_property == NULL)
|
|
return TRUE;
|
|
|
|
/*
|
|
@@ -2163,7 +2164,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr
|
|
ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
|
|
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
|
|
|
|
- if (config->provider_funcs->get_property == NULL)
|
|
+ if (config->provider_funcs == NULL ||
|
|
+ config->provider_funcs->get_property == NULL)
|
|
return TRUE;
|
|
|
|
/* Should be safe even w/o vtSema */
|