Bug#1108172: unblock: xorg-server/2:21.1.16-1.3
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xorg-server@packages.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>, Timo Aaltonen <tjaalton@ubuntu.com>, Julien Cristau <jcristau@debian.org>, carnil@debian.org, debian-boot@lists.debian.org, kibi@debian.org
Control: affects -1 + src:xorg-server
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: tags -1 + d-i
Please unblock package xorg-server
The update for xorg-server covering several CVE fixes required one
other followup as there was one integer overflow related to
CVE-2025-49176 found later to be unfixed, cf. #1108073.
Adding as well debian-boot@l.d.o since a udeb is produced
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock xorg-server/2:21.1.16-1.3
The debdiff is only on top of the previous upload which was already
unboocked but superseeded before migration to testing of this one.
Regards,
Salvatore
diff -u xorg-server-21.1.16/debian/changelog xorg-server-21.1.16/debian/changelog
--- xorg-server-21.1.16/debian/changelog
+++ xorg-server-21.1.16/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:21.1.16-1.3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * os: Check for integer overflow on BigRequest length (CVE-2025-49176)
+ (Closes: #1108073)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Jun 2025 09:47:20 +0200
+
xorg-server (2:21.1.16-1.2) unstable; urgency=medium
* Non-maintainer upload.
diff -u xorg-server-21.1.16/debian/patches/series xorg-server-21.1.16/debian/patches/series
--- xorg-server-21.1.16/debian/patches/series
+++ xorg-server-21.1.16/debian/patches/series
@@ -11,3 +11,4 @@
14_record-Check-for-overflow-in-RecordSanityCheckRegist.diff
15_randr-Check-for-overflow-in-RRChangeProviderProperty.diff
16_xfree86-Check-for-RandR-provider-functions.diff
+17_os-Check-for-integer-overflow-on-BigRequest-length.diff
only in patch2:
unchanged:
--- xorg-server-21.1.16.orig/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
+++ xorg-server-21.1.16/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
@@ -0,0 +1,35 @@
+From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2029>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index 26f9161ef826..83986af9288e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2)
++ return -(BadLength);
+ needed <<= 2;
+ }
+ if (gotnow < needed) {
+--
+2.50.0
+
Reply to: