diff --git a/5-bugfix-for-CVE-2025-49178.patch b/5-bugfix-for-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..8e4a5bc9a1fc74529dc687564326a4e12bf448b8 --- /dev/null +++ b/5-bugfix-for-CVE-2025-49178.patch @@ -0,0 +1,46 @@ +From 90a13c564e7b9ba5c0d8d92acac80689cd051898 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input + buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3) +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 5fc05821c..26f9161ef 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.49.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index bf7c7a0add4ada99e70900b6097d2bb175e2a697..4d64e6bd0ba1a509091789c824b5d563b98338ac 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,4 +1,4 @@ -%define anolis_release 14 +%define anolis_release 15 # X.org requires lazy relocations to work. %undefine _hardened_build %undefine _strict_symbol_defs_build @@ -45,6 +45,7 @@ Patch3: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch # Fix compilation error on i686 (21.1.14+) # https://gitlab.freedesktop.org/xorg/xserver/-/commit/8407181c7dfe14086d99697af0b86120320ab73e Patch4: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch +Patch5: 5-bugfix-for-CVE-2025-49178.patch BuildRequires: bison BuildRequires: flex @@ -418,6 +419,9 @@ find %{buildroot} -type f -name '*.la' -delete %changelog +* Fri Jun 27 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 21.1.13-15 +- Fix CVE-2025-49178 + * Tue Oct 8 2024 Tingyin Duan - 21.1.13-14 - initial from Fedora Rawhide