Bug#1108073: xorg-server: diff for NMU version 2:21.1.16-1.3

To: 1108073@bugs.debian.org
Subject: Bug#1108073: xorg-server: diff for NMU version 2:21.1.16-1.3
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 20 Jun 2025 10:02:17 +0200
Message-id: <[🔎] aFUVictvAdqHwPrO@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1108073@bugs.debian.org
References: <[🔎] 175039421387.2349600.2308087734344765432.reportbug@eldamar.lan>

Control: tags 1108073 + patch
Control: tags 1108073 + pending


Dear maintainer,

I've prepared an NMU for xorg-server (versioned as 2:21.1.16-1.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

Regards,
Salvatore

diffstat for xorg-server_21.1.16-1.2 xorg-server_21.1.16-1.3

 debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff |   35 ++++++++++
 xorg-server-21.1.16/debian/changelog                                      |    8 ++
 xorg-server-21.1.16/debian/patches/series                                 |    1 
 3 files changed, 44 insertions(+)

diff -u xorg-server-21.1.16/debian/changelog xorg-server-21.1.16/debian/changelog
--- xorg-server-21.1.16/debian/changelog
+++ xorg-server-21.1.16/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:21.1.16-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * os: Check for integer overflow on BigRequest length (CVE-2025-49176)
+    (Closes: #1108073)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 20 Jun 2025 09:47:20 +0200
+
 xorg-server (2:21.1.16-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u xorg-server-21.1.16/debian/patches/series xorg-server-21.1.16/debian/patches/series
--- xorg-server-21.1.16/debian/patches/series
+++ xorg-server-21.1.16/debian/patches/series
@@ -11,3 +11,4 @@
 14_record-Check-for-overflow-in-RecordSanityCheckRegist.diff
 15_randr-Check-for-overflow-in-RRChangeProviderProperty.diff
 16_xfree86-Check-for-RandR-provider-functions.diff
+17_os-Check-for-integer-overflow-on-BigRequest-length.diff
only in patch2:
unchanged:
--- xorg-server-21.1.16.orig/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
+++ xorg-server-21.1.16/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
@@ -0,0 +1,35 @@
+From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2029>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index 26f9161ef826..83986af9288e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+                     needed = get_big_req_len(request, client);
+             }
+             client->req_len = needed;
++            if (needed > MAXINT >> 2)
++                return -(BadLength);
+             needed <<= 2;
+         }
+         if (gotnow < needed) {
+-- 
+2.50.0
+

Reply to:

References:
- Bug#1108073: xorg-server: Followup to CVE-2025-49176
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: xorg-server: diff for NMU version 2:21.1.16-1.3
Next by Date: Processing of xorg-server_21.1.16-1.3_source.changes
Previous by thread: Processed: xorg-server: diff for NMU version 2:21.1.16-1.3
Next by thread: Bug#1108073: marked as done (xorg-server: Followup to CVE-2025-49176)
Index(es):
- Date
- Thread