2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
new file mode 100644
index 0000000000..a3d9ccbe16
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
@@ -0,0 +1,67 @@
+From 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 11:47:15 +0200
+Subject: [PATCH] record: Check for overflow in
+ RecordSanityCheckRegisterClients()
+The RecordSanityCheckRegisterClients() checks for the request length,
+but does not check for integer overflow.
+A client might send a very large value for either the number of clients
+or the number of protocol ranges that will cause an integer overflow in
+the request length computation, defeating the check for request length.
+To avoid the issue, explicitly check the number of clients against the
+limit of clients (which is much lower than an maximum integer value) and
+the number of protocol ranges (multiplied by the record length) do not
+exceed the maximum integer value.
+This way, we ensure that the final computation for the request length
+will not overflow the maximum integer limit.
+CVE-2025-49179
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+Upstream-Status: Backport [import from debian xorg-server_21.1.7-3+deb12u10.diff.gz
+Upstream commit https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4]
+CVE: CVE-2025-49179
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ record/record.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/record/record.c b/record/record.c
+index e123867..d57be5b 100644
+--- a/record/record.c
+++ b/record/record.c
+@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
+ #include "inputstr.h"
+ #include "eventconvert.h"
+ #include "scrnintstr.h"
+#include "opaque.h"
+ 
+ #include <stdio.h>
+ #include <assert.h>
+@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
+     int i;
+     XID recordingClient;
+ 
+    /* LimitClients is 2048 at max, way less that MAXINT */
+    if (stuff->nClients > LimitClients)
+       return BadValue;
+
+    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
+       return BadValue;
+
+     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
+         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
+         return BadLength;
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 67e146bf97..279351eff1 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2025-49176-2.patch \
           file://CVE-2025-49177.patch \
           file://CVE-2025-49178.patch \
+           file://CVE-2025-49179.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch new file mode 100644 index 0000000000..a3d9ccbe16 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
@@ -0,0 +1,67 @@
		1	From 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 28 Apr 2025 11:47:15 +0200
		4	Subject: [PATCH] record: Check for overflow in
		5	RecordSanityCheckRegisterClients()
		6
		7	The RecordSanityCheckRegisterClients() checks for the request length,
		8	but does not check for integer overflow.
		9
		10	A client might send a very large value for either the number of clients
		11	or the number of protocol ranges that will cause an integer overflow in
		12	the request length computation, defeating the check for request length.
		13
		14	To avoid the issue, explicitly check the number of clients against the
		15	limit of clients (which is much lower than an maximum integer value) and
		16	the number of protocol ranges (multiplied by the record length) do not
		17	exceed the maximum integer value.
		18
		19	This way, we ensure that the final computation for the request length
		20	will not overflow the maximum integer limit.
		21
		22	CVE-2025-49179
		23
		24	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		25	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		26
		27	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		28	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		29	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		30
		31	Upstream-Status: Backport [import from debian xorg-server_21.1.7-3+deb12u10.diff.gz
		32	Upstream commit https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4]
		33	CVE: CVE-2025-49179
		34	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		35	---
		36	record/record.c \| 8 ++++++++
		37	1 file changed, 8 insertions(+)
		38
		39	diff --git a/record/record.c b/record/record.c
		40	index e123867..d57be5b 100644
		41	--- a/record/record.c
		42	+++ b/record/record.c
		43	@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
		44	#include "inputstr.h"
		45	#include "eventconvert.h"
		46	#include "scrnintstr.h"
		47	+#include "opaque.h"
		48
		49	#include <stdio.h>
		50	#include <assert.h>
		51	@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
		52	int i;
		53	XID recordingClient;
		54
		55	+ /* LimitClients is 2048 at max, way less that MAXINT */
		56	+ if (stuff->nClients > LimitClients)
		57	+ return BadValue;
		58	+
		59	+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
		60	+ return BadValue;
		61	+
		62	if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
		63	4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
		64	return BadLength;
		65	--
		66	2.25.1
		67


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 67e146bf97..279351eff1 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
41	file://CVE-2025-49176-2.patch \	41	file://CVE-2025-49176-2.patch \
42	file://CVE-2025-49177.patch \	42	file://CVE-2025-49177.patch \
43	file://CVE-2025-49178.patch \	43	file://CVE-2025-49178.patch \
		44	file://CVE-2025-49179.patch \
44	"	45	"
45	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	46	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
46		47