[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108172: unblock: xorg-server/2:21.1.16-1.3



Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xorg-server@packages.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>, Timo Aaltonen <tjaalton@ubuntu.com>, Julien Cristau <jcristau@debian.org>, carnil@debian.org, debian-boot@lists.debian.org, kibi@debian.org
Control: affects -1 + src:xorg-server
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: tags -1 + d-i

Please unblock package xorg-server

The update for xorg-server covering several CVE fixes required one
other followup as there was one integer overflow related to
CVE-2025-49176 found later to be unfixed, cf. #1108073.

Adding as well debian-boot@l.d.o since a udeb is produced

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock xorg-server/2:21.1.16-1.3

The debdiff is only on top of the previous upload which was already
unboocked but superseeded before migration to testing of this one.

Regards,
Salvatore
diff -u xorg-server-21.1.16/debian/changelog xorg-server-21.1.16/debian/changelog
--- xorg-server-21.1.16/debian/changelog
+++ xorg-server-21.1.16/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:21.1.16-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * os: Check for integer overflow on BigRequest length (CVE-2025-49176)
+    (Closes: #1108073)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Jun 2025 09:47:20 +0200
+
 xorg-server (2:21.1.16-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u xorg-server-21.1.16/debian/patches/series xorg-server-21.1.16/debian/patches/series
--- xorg-server-21.1.16/debian/patches/series
+++ xorg-server-21.1.16/debian/patches/series
@@ -11,3 +11,4 @@
 14_record-Check-for-overflow-in-RecordSanityCheckRegist.diff
 15_randr-Check-for-overflow-in-RRChangeProviderProperty.diff
 16_xfree86-Check-for-RandR-provider-functions.diff
+17_os-Check-for-integer-overflow-on-BigRequest-length.diff
only in patch2:
unchanged:
--- xorg-server-21.1.16.orig/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
+++ xorg-server-21.1.16/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
@@ -0,0 +1,35 @@
+From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2029>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index 26f9161ef826..83986af9288e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+                     needed = get_big_req_len(request, client);
+             }
+             client->req_len = needed;
++            if (needed > MAXINT >> 2)
++                return -(BadLength);
+             needed <<= 2;
+         }
+         if (gotnow < needed) {
+-- 
+2.50.0
+

Reply to: