diff --git a/1017-fix-CVE-2025-49175-CVE-2025-49176.patch b/1017-fix-CVE-2025-49175-CVE-2025-49176.patch new file mode 100644 index 0000000000000000000000000000000000000000..d2bd0253589a57dd9ea0fe3e621530abf787679c --- /dev/null +++ b/1017-fix-CVE-2025-49175-CVE-2025-49176.patch @@ -0,0 +1,40 @@ +From 1026e30b9da2b1569d6125f0ef24d4f9a08a5221 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Sun, 22 Jun 2025 23:55:04 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49175 and CVE-2025-49176 + +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..77942d8 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.41.0 + diff --git a/1018-fix-CVE-2025-49178.patch b/1018-fix-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..37a88821f0f695a555c521a483058ae85d0ec45d --- /dev/null +++ b/1018-fix-CVE-2025-49178.patch @@ -0,0 +1,25 @@ +From b292b85c7b984c131eac1af456b9e0b0fa6b1686 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:20:12 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49178 + +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 5b7fac3..19d5210 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.41.0 + diff --git a/1019-fix-CVE-2025-49179.patch b/1019-fix-CVE-2025-49179.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c06dbe94b5bceb8461fe92c7104960ee98d270e --- /dev/null +++ b/1019-fix-CVE-2025-49179.patch @@ -0,0 +1,38 @@ +From 766f80dc789c38e4e4f1392d4c5ed50a08447a07 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:33:40 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49179 + +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..7a9e907 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.41.0 + diff --git a/1020-fix-CVE-2025-49180.patch b/1020-fix-CVE-2025-49180.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a48afb60354e514de6cb500e0e26de8917c1dc5 --- /dev/null +++ b/1020-fix-CVE-2025-49180.patch @@ -0,0 +1,51 @@ +From 43ad12fa09dd7830797dca93b9156af964bc49cd Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 01:37:35 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49180 + +--- + hw/xfree86/modes/xf86RandR12.c | 6 ++++-- + randr/rrproviderproperty.c | 3 +++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c +index 39a38c7..8f97e79 100644 +--- a/hw/xfree86/modes/xf86RandR12.c ++++ b/hw/xfree86/modes/xf86RandR12.c +@@ -2142,7 +2142,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen, + /* If we don't have any property handler, then we don't care what the + * user is setting properties to. + */ +- if (config->provider_funcs->set_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->set_property == NULL) + return TRUE; + + /* +@@ -2160,7 +2161,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen, + ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); + xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); + +- if (config->provider_funcs->get_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->get_property == NULL) + return TRUE; + + /* Should be safe even w/o vtSema */ +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..44cb5c7 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -180,6 +180,9 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; + ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; ++ + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.41.0 + diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 5ee153fee97843a403b5f7b7042168946a58ce74..83745131fefc8873949d55ac268eea2dbcbcc7c5 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,4 +1,4 @@ -%define anolis_release 14 +%define anolis_release 15 %undefine _hardened_build %undefine _strict_symbol_defs_build %global ansic_major 0 @@ -81,6 +81,15 @@ Patch1013: 1013-Fix-compilation-error-when-built-without-logind_platform-bus.pat Patch1014: 1014-fix-missing-call-to-vtenter-if-the-platform-device-is-not-paused.patch Patch1015: 1015-x86_logind-fix-suspend_resume-when-there-are-no-input-devices.patch Patch1016: 0100-xorg-patch-for-ast-ft-bmc-card-in-s5000c.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F0885e0b26225c90534642fe911632ec0779eebee +Patch1017: 1017-fix-CVE-2025-49175-CVE-2025-49176.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2Fd55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 +Patch1018: 1018-fix-CVE-2025-49178.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 +Patch1019: 1019-fix-CVE-2025-49179.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F3c3a4b767b16174d3213055947ea7f4f88e10ec6 +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F0235121c6a7a6eb247e2addb3b41ed6ef566853d +Patch1020: 1020-fix-CVE-2025-49180.patch BuildRequires: automake make autoconf libtool pkgconfig BuildRequires: dbus-devel libepoxy-devel libudev-devel systemd-devel systemtap-sdt-devel @@ -395,6 +404,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/xorg/modules/lib{int10,vbe}.so %{_datadir}/xorg-x11-server-source %changelog +* Thu Aug 07 2025 mgb01105731 - 1:1.20.14-15 +- Add patches to fix CVE-2025-49175,CVE-2025-49176,CVE-2025-49178, + CVE-2025-49179,CVE-2025-49180 + * Fri May 24 2024 yuan0927 - 1:1.20.14-14 - Fix the splash screen issue in the phytium S5000C