2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
new file mode 100644
index 0000000000..ce3e2f415f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
@@ -0,0 +1,49 @@
+From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:46:03 +0200
+Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
+When reading requests from the clients, the input buffer might be shared
+and used between different clients.
+If a given client sends a full request with non-zero bytes to ignore,
+the bytes to ignore may still be non-zero even though the request is
+full, in which case the buffer could be shared with another client who's
+request will not be processed because of those bytes to ignore, leading
+to a possible hang of the other client request.
+To avoid the issue, make sure we have zero bytes to ignore left in the
+input request when sharing the input buffer with another client.
+CVE-2025-49178
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
+CVE: CVE-2025-49178
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/os/io.c b/os/io.c
+index 3e39c10e6f..e7b76b9cea 100644
+--- a/os/io.c
+++ b/os/io.c
+@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client)
+      */
+ 
+     gotnow -= needed;
+-    if (!gotnow)
+    if (!gotnow && !oci->ignoreBytes)
+         AvailableInput = oc;
+     if (move_header) {
+         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 1fceec89f7..67e146bf97 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2025-49176-1.patch \
           file://CVE-2025-49176-2.patch \
           file://CVE-2025-49177.patch \
+           file://CVE-2025-49178.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch new file mode 100644 index 0000000000..ce3e2f415f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
@@ -0,0 +1,49 @@
		1	From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 28 Apr 2025 10:46:03 +0200
		4	Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
		5
		6	When reading requests from the clients, the input buffer might be shared
		7	and used between different clients.
		8
		9	If a given client sends a full request with non-zero bytes to ignore,
		10	the bytes to ignore may still be non-zero even though the request is
		11	full, in which case the buffer could be shared with another client who's
		12	request will not be processed because of those bytes to ignore, leading
		13	to a possible hang of the other client request.
		14
		15	To avoid the issue, make sure we have zero bytes to ignore left in the
		16	input request when sharing the input buffer with another client.
		17
		18	CVE-2025-49178
		19
		20	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		21	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		22
		23	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		24	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
		28	CVE: CVE-2025-49178
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	os/io.c \| 2 +-
		32	1 file changed, 1 insertion(+), 1 deletion(-)
		33
		34	diff --git a/os/io.c b/os/io.c
		35	index 3e39c10e6f..e7b76b9cea 100644
		36	--- a/os/io.c
		37	+++ b/os/io.c
		38	@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client)
		39	*/
		40
		41	gotnow -= needed;
		42	- if (!gotnow)
		43	+ if (!gotnow && !oci->ignoreBytes)
		44	AvailableInput = oc;
		45	if (move_header) {
		46	if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 1fceec89f7..67e146bf97 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
40	file://CVE-2025-49176-1.patch \	40	file://CVE-2025-49176-1.patch \
41	file://CVE-2025-49176-2.patch \	41	file://CVE-2025-49176-2.patch \
42	file://CVE-2025-49177.patch \	42	file://CVE-2025-49177.patch \
		43	file://CVE-2025-49178.patch \
43	"	44	"
44	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	45	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
45		46