xwayland: fix CVE-2025-49180

A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. (From OE-Core rev: 78055e8b6a9ea5063658886c5b5d22821d689fc5) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-07-03 15:53:54 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-07-09 08:23:23 -0700
commit: 0ef633a0bbaeec1eb1f6422633a8834aba22b97e (patch)
tree: d0a6a63147a1050921319fb5a96e272293d44bb2
parent: 4c0768543aa3855d93f435bbd4421befd8ad9bb6 (diff)
download: poky-0ef633a0bbaeec1eb1f6422633a8834aba22b97e.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
new file mode 100644
index 0000000000..51939acf63
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
@@ -0,0 +1,45 @@
+From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 20 May 2025 15:18:19 +0200
+Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
+A client might send a request causing an integer overflow when computing
+the total size to allocate in RRChangeProviderProperty().
+To avoid the issue, check that total length in bytes won't exceed the
+maximum integer value.
+CVE-2025-49180
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+CVE: CVE-2025-49180
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ randr/rrproviderproperty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index 90c5a9a..0aa35ad 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
+     if (mode == PropModeReplace || len > 0) {
+         void *new_data = NULL, *old_data = NULL;
+-
+        if (total_len > MAXINT / size_in_bytes)
+            return BadValue;
+         total_size = total_len * size_in_bytes;
+         new_value.data = (void *) malloc(total_size);
+         if (!new_value.data && total_size) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 691b017662..73f5a05ce7 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-49177.patch \
           file://CVE-2025-49178.patch \
           file://CVE-2025-49179.patch \
+           file://CVE-2025-49180.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-07-03 15:53:54 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-09 08:23:23 -0700
commit	0ef633a0bbaeec1eb1f6422633a8834aba22b97e (patch)
tree	d0a6a63147a1050921319fb5a96e272293d44bb2
parent	4c0768543aa3855d93f435bbd4421befd8ad9bb6 (diff)
download	poky-0ef633a0bbaeec1eb1f6422633a8834aba22b97e.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch new file mode 100644 index 0000000000..51939acf63 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
@@ -0,0 +1,45 @@
		1	From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Tue, 20 May 2025 15:18:19 +0200
		4	Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
		5
		6	A client might send a request causing an integer overflow when computing
		7	the total size to allocate in RRChangeProviderProperty().
		8
		9	To avoid the issue, check that total length in bytes won't exceed the
		10	maximum integer value.
		11
		12	CVE-2025-49180
		13
		14	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		15	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		16
		17	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		18	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		19	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		20
		21	CVE: CVE-2025-49180
		22
		23	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
		24
		25	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		26	---
		27	randr/rrproviderproperty.c \| 3 ++-
		28	1 file changed, 2 insertions(+), 1 deletion(-)
		29
		30	diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
		31	index 90c5a9a..0aa35ad 100644
		32	--- a/randr/rrproviderproperty.c
		33	+++ b/randr/rrproviderproperty.c
		34	@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
		35
		36	if (mode == PropModeReplace \|\| len > 0) {
		37	void new_data = NULL, old_data = NULL;
		38	-
		39	+ if (total_len > MAXINT / size_in_bytes)
		40	+ return BadValue;
		41	total_size = total_len * size_in_bytes;
		42	new_value.data = (void *) malloc(total_size);
		43	if (!new_value.data && total_size) {
		44	--
		45	2.40.0


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 691b017662..73f5a05ce7 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
49	file://CVE-2025-49177.patch \	49	file://CVE-2025-49177.patch \
50	file://CVE-2025-49178.patch \	50	file://CVE-2025-49178.patch \
51	file://CVE-2025-49179.patch \	51	file://CVE-2025-49179.patch \
		52	file://CVE-2025-49180.patch \
52	"	53	"
53	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	54	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
54		55