Stefan Dirsch
64a4180db5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=102
50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 27 Nov 2024 11:27:05 +0100
|
|
Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If a cursor reference count drops to 0, the cursor is freed.
|
|
|
|
The root cursor however is referenced with a specific global variable,
|
|
and when the root cursor is freed, the global variable may still point
|
|
to freed memory.
|
|
|
|
Make sure to prevent the rootCursor from being explicitly freed by a
|
|
client.
|
|
|
|
CVE-2025-26594, ZDI-CAN-25544
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
|
|
<peter.hutterer@who-t.net>)
|
|
v3: Return BadCursor instead of BadValue (Michel Dänzer
|
|
<michel@daenzer.net>)
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
dix/dispatch.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
Index: xwayland-24.1.4/dix/dispatch.c
|
|
===================================================================
|
|
--- xwayland-24.1.4.orig/dix/dispatch.c
|
|
+++ xwayland-24.1.4/dix/dispatch.c
|
|
@@ -3106,6 +3106,10 @@ ProcFreeCursor(ClientPtr client)
|
|
rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
|
|
client, DixDestroyAccess);
|
|
if (rc == Success) {
|
|
+ if (pCursor == rootCursor) {
|
|
+ client->errorValue = stuff->id;
|
|
+ return BadCursor;
|
|
+ }
|
|
FreeResource(stuff->id, RT_NONE);
|
|
return Success;
|
|
}
|