Stefan Dirsch
64a4180db5
* Out-of-bounds access in X Rendering extension (Animated cursors)
(CVE-2025-49175, bsc#1244082)
- U_CVE-2025-49176-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
* Integer overflow in Big Requests Extension
(CVE-2025-49176, bsc#1244084)
- U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch
* Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
(CVE-2025-49177, bsc#1244085)
- U_CVE-2025-49178-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
* Unprocessed client request via bytes to ignore
(CVE-2025-49178, bsc#1244087)
- U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
* Integer overflow in X Record extension
(CVE-2025-49179, bsc#1244089)
- U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
* Integer overflow in RandR extension (RRChangeProviderProperty)
(CVE-2025-49180, bsc#1244090)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=102
67 lines
2.2 KiB
Diff
67 lines
2.2 KiB
Diff
From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Mon, 20 Jan 2025 16:52:01 +0100
|
|
Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized
|
|
|
|
When changing an alarm, the change mask values are evaluated one after
|
|
the other, changing the trigger values as requested and eventually,
|
|
SyncInitTrigger() is called.
|
|
|
|
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
|
|
the existing sync object.
|
|
|
|
Other changes are then evaluated and may trigger an error and an early
|
|
return, not adding the new sync object.
|
|
|
|
This can be used to cause a use after free when the alarm eventually
|
|
triggers.
|
|
|
|
To avoid the issue, delete the existing sync object as late as possible
|
|
only once we are sure that no further error will cause an early exit.
|
|
|
|
CVE-2025-26601, ZDI-CAN-25870
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/sync.c | 13 ++++++++-----
|
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/Xext/sync.c b/Xext/sync.c
|
|
index b6417b3b0..4267d3af6 100644
|
|
--- a/Xext/sync.c
|
|
+++ b/Xext/sync.c
|
|
@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
client->errorValue = syncObject;
|
|
return rc;
|
|
}
|
|
- if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
|
- SyncDeleteTriggerFromSyncObject(pTrigger);
|
|
- pTrigger->pSync = pSync;
|
|
- newSyncObject = TRUE;
|
|
- }
|
|
}
|
|
|
|
/* if system counter, ask it what the current value is */
|
|
@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
|
}
|
|
}
|
|
|
|
+ if (changes & XSyncCACounter) {
|
|
+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
|
+ SyncDeleteTriggerFromSyncObject(pTrigger);
|
|
+ pTrigger->pSync = pSync;
|
|
+ newSyncObject = TRUE;
|
|
+ }
|
|
+ }
|
|
+
|
|
/* we wait until we're sure there are no errors before registering
|
|
* a new counter on a trigger
|
|
*/
|
|
--
|
|
2.48.1
|
|
|