From patchwork Wed Jul 2 15:46:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66136 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 169B8C77B7C for ; Wed, 2 Jul 2025 15:46:26 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.27286.1751471185350500369 for ; Wed, 02 Jul 2025 08:46:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5624sV8Y007944 for ; Wed, 2 Jul 2025 15:46:24 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j5m1cmdf-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:24 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:21 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:20 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 1/6] xwayland: fix CVE-2025-49175 Date: Wed, 2 Jul 2025 21:16:14 +0530 Message-ID: <20250702154619.3765505-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfXzlfSRjw3GoLL xk/CUMFMN4JoJQlzIXteC6b0pktuKqT0SiMbJIk5E5XbXiqPEG3L1Vz1Wt6BuGcnUkUOmrCKHvR MWFGPkWMJ+6wgv2/oXMdyeft6131zUUL2N9FwXyrWDzL8Tio66y9ek+t6Py96p3Xz6dBGL9n9UH vIO8m+Fjn9dW+DMSJkHgL5jHOji+a2a2n1qKyE9hUiXMGn2TcxSXY1tz7hbpjZQ4XcWkTJQhLAE 29VqmsRugMpQ6l4VzLmJ2NGkeKJZFPcQ5bV69vTxieRKFbJyI+KTXt2kwUkWelDqVyFpjsDdpP9 5rCypdGdAWzsEy6b1VxdMiSNo68yG5kSKTxfE7Fgh6AcUgwoVeGU1VVjmwQeOpEkwIl5iQGfzvN Tcko6uBbQE3N886elP8iQ0JwUzaxuXFertmpMdXFlNKDf3spqG17WNgIXiQG5nq7wzZM3Oam X-Authority-Analysis: v=2.4 cv=IOsCChvG c=1 sm=1 tr=0 ts=68655450 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=IkcTkHD0fZMA:10 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=3tCwXSKOYEuI01B-BJ4A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: Sd-iaf4c3y1DejW7dU8ln4FhoDo3mX1p X-Proofpoint-ORIG-GUID: Sd-iaf4c3y1DejW7dU8ln4FhoDo3mX1p X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=502 malwarescore=0 suspectscore=0 impostorscore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5624sV8Y007944 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219843 From: Archana Polampalli A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. Signed-off-by: Archana Polampalli --- .../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch new file mode 100644 index 0000000000..bfb37fcea0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch @@ -0,0 +1,92 @@ +From 0885e0b26225c90534642fe911632ec0779eebee Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 28 Mar 2025 09:43:52 +0100 +Subject: [PATCH] render: Avoid 0 or less animated cursors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: + +CVE: CVE-2025-49175 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee] + +Signed-off-by: Archana Polampalli +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..77942d8 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 0265366393..b9b4aa1a6a 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -24,6 +24,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-2.patch \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ + file://CVE-2025-49175.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Jul 2 15:46:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED6FBC83F04 for ; Wed, 2 Jul 2025 15:46:35 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27308.1751471185738824782 for ; Wed, 02 Jul 2025 08:46:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5624sV8Z007944 for ; Wed, 2 Jul 2025 15:46:25 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j5m1cmdf-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:24 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:23 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:22 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 2/6] xwayland: fix CVE-2025-49176 Date: Wed, 2 Jul 2025 21:16:15 +0530 Message-ID: <20250702154619.3765505-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250702154619.3765505-1-archana.polampalli@windriver.com> References: <20250702154619.3765505-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfX3PYKwiMk1zPH lspaLUmG9rUy4BMBKO/i2Wv8kv0M3LH9GIUvkKZRtDb1SnyVdXdcKVGdmgbtEOROonzjf5H9hoh 4UjDdUnA+1UsqZSmAxv9bv7nN0BUp2WfWStTqiLJ2OoHEHYtVJhOkYSTXYdu8NxughW0mH85kOh 6zNKQDgzBCu4QlUSgnO1J0Wovnfd3m1NO1R5eCWEIFbLttbNLRzTjtDPf7le1baRC4soVlVH+cb vSpboRXk2F5PiKM/3QGDRXpdWD17u2fSuURDAwevRjBIMoL46uxMHpb7gEJqvvydHEK6eBLmtbl 8nvJ+hLiBjPNcifIba8emAGCuiJKGYyf87Hp7KFlsF8Ji7+jeIP7CEn478qzBM3XtLpx83DZ64p uJxcwkE/z8xveNiPB8ZhtMtchdeyLGWCaRySgjJWWHD2F3IxEVN4WYmjacRk9S94Miq42Uj/ X-Authority-Analysis: v=2.4 cv=IOsCChvG c=1 sm=1 tr=0 ts=68655450 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=IkcTkHD0fZMA:10 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=6zgkpjy-AAAA:8 a=3VCh78rLSpcNRmjF8KkA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 a=VIsXyf1S9QfxK1bU9KZx:22 X-Proofpoint-GUID: CTZWl1DyRwvXPHs20Jw-6bDRIs6L0ctF X-Proofpoint-ORIG-GUID: CTZWl1DyRwvXPHs20Jw-6bDRIs6L0ctF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 impostorscore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5624sV8Z007944 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219844 From: Archana Polampalli A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. Signed-off-by: Archana Polampalli --- .../xwayland/CVE-2025-49176-0001.patch | 93 +++++++++++++++++++ .../xwayland/CVE-2025-49176-0002.patch | 38 ++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 133 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch new file mode 100644 index 0000000000..fd3b1d936b --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch @@ -0,0 +1,93 @@ +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9] + +Signed-off-by: Archana Polampalli +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 9e98d54..20473f1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -513,9 +513,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -536,7 +537,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 841a0ee..aeece86 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch new file mode 100644 index 0000000000..6d7df79111 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch @@ -0,0 +1,38 @@ +From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index aeece86..67465f9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b9b4aa1a6a..72396dcd40 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -25,6 +25,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ file://CVE-2025-49175.patch \ + file://CVE-2025-49176-0001.patch \ + file://CVE-2025-49176-0002.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Jul 2 15:46:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F352DC83F05 for ; Wed, 2 Jul 2025 15:46:35 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27310.1751471188242868163 for ; Wed, 02 Jul 2025 08:46:28 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5621RS61026746 for ; Wed, 2 Jul 2025 15:46:27 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j5m1cmdh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:27 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:25 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:24 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 3/6] xwayland: fix CVE-2025-49177 Date: Wed, 2 Jul 2025 21:16:16 +0530 Message-ID: <20250702154619.3765505-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250702154619.3765505-1-archana.polampalli@windriver.com> References: <20250702154619.3765505-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfXz9sTPnp9wooU YXH0LXczLcIxKiWs6Xm25ToBHNYkOBxI7o1Bgpl5uBaB9oYYpAohIBTbFLJw+l6WDrdT2IugY2j b3pwNkPnYwjDXuvglnuDuSspUCeFSqP62gRQ4flgR0UQjPXMFSVfeXtty1k+aTsAPGn9rxgNCY+ 39q6qfH9DE7RsfQdzdmPcaR04lRRVUqEgwwBLndrc6Hgbd2kirE0Vc8Khmz+CJKGv83dmSpwhVz qwruWoaMIymhxkNHDLXXBflrWWSOAPkPkYtGAWDt96ubcpf7XQ2AwRZJfoi+9F+FYyhsAmsp+GX ySft9sKRywmVnNhmZnQALPcmz1Utwgecy4+PpKaFcQ9akcg+u7+1M+71o4Ez80Lfc+DQKf+QwGa +19Ra7+uag+FqzbeBae0blCZ5a1Az9GFK66Xjg0tdFwp5c23P4531X0znt0mB2JCzds2zdUT X-Authority-Analysis: v=2.4 cv=IOsCChvG c=1 sm=1 tr=0 ts=68655453 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=D31QgfloAAAA:8 a=dEv3LceFkJjfwSMbmsYA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 a=I6paTPn9_Px6ARgSWtWf:22 X-Proofpoint-GUID: tcL7NM_pyCw46xc4JxCoYe2mPWatdHeC X-Proofpoint-ORIG-GUID: tcL7NM_pyCw46xc4JxCoYe2mPWatdHeC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 impostorscore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219845 From: Archana Polampalli A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests Signed-off-by: Archana Polampalli --- .../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch new file mode 100644 index 0000000000..56ae1de800 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch @@ -0,0 +1,55 @@ +From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:05:36 +0200 +Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode + +The handler of XFixesSetClientDisconnectMode does not check the client +request length. + +A client could send a shorter request and read data from a former +request. + +Fix the issue by checking the request size matches. + +CVE-2025-49177 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Fixes: e167299f6 - xfixes: Add ClientDisconnectMode +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49177 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af] + +Signed-off-by: Archana Polampalli +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 28aac45..d6da1f9 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 72396dcd40..5ed8ca0365 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -27,6 +27,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49175.patch \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ + file://CVE-2025-49177.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Jul 2 15:46:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66139 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08ABFC83F09 for ; Wed, 2 Jul 2025 15:46:36 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27314.1751471190359067926 for ; Wed, 02 Jul 2025 08:46:30 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5625uMix023396 for ; Wed, 2 Jul 2025 15:46:29 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j7c9ch9y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:29 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:27 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:26 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 4/6] xwayland: fix CVE-2025-49178 Date: Wed, 2 Jul 2025 21:16:17 +0530 Message-ID: <20250702154619.3765505-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250702154619.3765505-1-archana.polampalli@windriver.com> References: <20250702154619.3765505-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: A9XrBSOhYauoD5p-wyyj5Z2qZTanJbcc X-Proofpoint-GUID: A9XrBSOhYauoD5p-wyyj5Z2qZTanJbcc X-Authority-Analysis: v=2.4 cv=M5xNKzws c=1 sm=1 tr=0 ts=68655455 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=D31QgfloAAAA:8 a=3wiCy6-QTMpVeIMz6ZkA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 a=I6paTPn9_Px6ARgSWtWf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfX7c3hC7ejCo9V mWvt5KsWawbf4n9oIRUzben5QAEtl0+h4vzTgumucTLaMHR5LgmUVGghKpXyECTCU2gUNvDd/OH 2NNWaRmnEnCF4Ox1/EcFec9igr8ce8rDy7TXTIuiLG3/V2egfmZpIwJ58lKYqdrsSaIXdRiW04d EFBw+3cKi7FwMJV+mTLuqu79TiW2lDkfrfE6SPurvBx3eXpK8eZe/ETgCU1nCcZLFk3dV+1HdVU nWADj7ix+wEo7u0Kplg5i2tKYM323Q70OQjyieRVgizRu1g5t+/kWwsQdmvqVFXeH69r7hzmpnt YNoDvwhBbO5/PXgYHH1jb0UZWyPzxQpHsMAhMAFLerS6QTPBv1VYabkZIIC3kb+mceVxqzObOYg 6i54utbX1EgOV9J6WzxVC+lMJQ6pstFrIHob0yaH+dsnKxRY1C9IaC3hnhLegcOsyfCAxO3i X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 spamscore=0 bulkscore=0 lowpriorityscore=0 adultscore=0 phishscore=0 malwarescore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219846 From: Archana Polampalli A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. Signed-off-by: Archana Polampalli --- .../xwayland/xwayland/CVE-2025-49178.patch | 50 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch new file mode 100644 index 0000000000..5ef2fea1c9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch @@ -0,0 +1,50 @@ +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49178 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 67465f9..f92a40e 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 5ed8ca0365..e150961882 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ + file://CVE-2025-49178.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Jul 2 15:46:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66140 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB806C77B7C for ; Wed, 2 Jul 2025 15:46:35 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.27315.1751471192228143374 for ; Wed, 02 Jul 2025 08:46:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5628uR2Y032384 for ; Wed, 2 Jul 2025 15:46:31 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j7c9cha3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:31 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:29 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:28 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 5/6] xwayland: fix CVE-2025-49179 Date: Wed, 2 Jul 2025 21:16:18 +0530 Message-ID: <20250702154619.3765505-5-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250702154619.3765505-1-archana.polampalli@windriver.com> References: <20250702154619.3765505-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: xR1tGEIHs-h1rdy0oCLGNYzNOcudqOKj X-Proofpoint-GUID: xR1tGEIHs-h1rdy0oCLGNYzNOcudqOKj X-Authority-Analysis: v=2.4 cv=M5xNKzws c=1 sm=1 tr=0 ts=68655457 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=D31QgfloAAAA:8 a=srCqXsuJmE3NBOGLpTcA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 a=I6paTPn9_Px6ARgSWtWf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfX/gqU97Fdci/V Yo9YQUk5/5Mg05TgpnxP4QXEU2Tk3w8OdWv1lraoJnMQlQ+2hnitC6EigKPpCMn1ryN0rXxUvq2 bZlCIiUP3LpRwPOgDoUUbWu5KT7jFHLwgz9SpPT7SwQbNyrDZm3eyaioCjroyQok5EGhZMyMvbf jR7cdxqPSlxbc+51zEbu/TZ0ZXLnLELKyFk+gVTkJ7BHQILzH938n/PVZtcAdfmwQnamxU3HkQ/ pfEWLVmUg0BxOLrS+KP+Mcda4MjGxaTo6USXu9N0CNSVsrJ2XtGSO5d2loMAhos0slWeisZWtKo XO+HvCclHelS/8vMVYx0DJQsZRwlNs3qi3fB9Ups8gsLZHI4/d+dIKxT8AhlKatjV3oXl8OQDUx HKpWtWIYGkE+m65a+YJf9WFdDQjzjXjuGNs93IlA7OgHkLtknwWOumv2sl2+yziJ8LGqHFR1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 spamscore=0 bulkscore=0 lowpriorityscore=0 adultscore=0 phishscore=0 malwarescore=0 impostorscore=0 mlxlogscore=831 suspectscore=0 mlxscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219847 From: Archana Polampalli A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks. Signed-off-by: Archana Polampalli --- .../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch new file mode 100644 index 0000000000..48c7ed8c13 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch @@ -0,0 +1,69 @@ +From 9d205323894af62b9726fcbaeb5fc69b3c9f61ba Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 11:47:15 +0200 +Subject: [PATCH] record: Check for overflow in + RecordSanityCheckRegisterClients() + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4) + +Part-of: + +CVE: CVE-2025-49179 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9d205323894af62b9726fcbaeb5fc69b3c9f61ba] + +Signed-off-by: Archana Polampalli +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..018e53f 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index e150961882..490e1ca05f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -29,6 +29,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ + file://CVE-2025-49179.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Jul 2 15:46:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 66141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B57DC77B7C for ; Wed, 2 Jul 2025 15:46:46 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.27288.1751471194257533775 for ; Wed, 02 Jul 2025 08:46:34 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=927893d721=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5623xrRU026445 for ; Wed, 2 Jul 2025 15:46:33 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 47j5m1cmdt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 02 Jul 2025 15:46:33 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 2 Jul 2025 08:46:31 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 2 Jul 2025 08:46:30 -0700 From: To: Subject: [oe-core][scarthgap][PATCH 6/6] xwayland: fix CVE-2025-49180 Date: Wed, 2 Jul 2025 21:16:19 +0530 Message-ID: <20250702154619.3765505-6-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250702154619.3765505-1-archana.polampalli@windriver.com> References: <20250702154619.3765505-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzAyMDEzMCBTYWx0ZWRfX3j1Xh+nzqdN3 rPSGcDxjOdGA/c0WBkCKr9pBwaPBH60zgG1XxOzg8sjzgDTaAD2hsq1lAJif/glawp8YKbnIl7P nbzt1cJHBpaIl4bnydBnNf69FTVrrfa8T81dccPK3wKJz4dItkbXKnOX7GnpLVCK0AanYzqVYFo UqjCiBVbJAzLUslNelqwaii8rXDubQztJ7tJTKbHdAEjlG8Zf1FB9rZF42iROndDgFqH6ntu1yu 9VwTIPzqDxDOg8eqFqkM7h9T0mZwNdxrpZWKFBk6BAA2DUS85ADLqlHVvsr52onvhmzT6XFHf4F GbLov0ubGtL6Q0VMk50Rb0RxuJLRJb7GSPTItb0dKUzcriaId8bO+HfHHdTlvGKBM9nojxj8VKm N/V60qDphpipDkknmEPEVydssUF2ITe7zrREOZdBHNvmyQnCGZKYm2ovFkMsc/y0+AFWfTNH X-Authority-Analysis: v=2.4 cv=IOsCChvG c=1 sm=1 tr=0 ts=68655459 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=Wb1JkmetP80A:10 a=e5mUnYsNAAAA:8 a=aR16PxjQAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=D31QgfloAAAA:8 a=eyDTMUTSZJA0LI66-78A:9 a=Vxmtnl_E_bksehYqCbjh:22 a=zbFvvTOBjyH4ze5LlUjX:22 a=FdTzh2GWekK77mhwV6Dw:22 a=I6paTPn9_Px6ARgSWtWf:22 X-Proofpoint-GUID: 8Mp5iZ_r63vN_wCvOMdfnCUmhZZBdvr4 X-Proofpoint-ORIG-GUID: 8Mp5iZ_r63vN_wCvOMdfnCUmhZZBdvr4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-02_02,2025-07-02_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 impostorscore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2507020130 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Jul 2025 15:46:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219848 From: Archana Polampalli A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. Signed-off-by: Archana Polampalli --- .../xwayland/xwayland/CVE-2025-49180.patch | 45 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch new file mode 100644 index 0000000000..51939acf63 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch @@ -0,0 +1,45 @@ +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49180 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6] + +Signed-off-by: Archana Polampalli +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..0aa35ad 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 490e1ca05f..49e35ca442 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ + file://CVE-2025-49180.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"