Bug#1108369: xwayland: CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1108369: xwayland: CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Jun 2025 06:16:06 +0200
Message-id: <[🔎] 175099776686.191527.11606663389698781122.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1108369@bugs.debian.org

Source: xwayland
Version: 2:24.1.6-1
Severity: normal
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for xwayland.

CVE-2025-49175[0]:
| A flaw was found in the X Rendering extension's handling of animated
| cursors. If a client provides no cursors, the server assumes at
| least one is present, leading to an out-of-bounds read and potential
| crash.


CVE-2025-49176[1]:
| A flaw was found in the Big Requests extension. The request length
| is multiplied by 4 before checking against the maximum allowed size,
| potentially causing an integer overflow and bypassing the size
| check.


CVE-2025-49177[2]:
| A flaw was found in the XFIXES extension. The
| XFixesSetClientDisconnectMode handler does not validate the request
| length, allowing a client to read unintended memory from previous
| requests.


CVE-2025-49178[3]:
| A flaw was found in the X server's request handling. Non-zero 'bytes
| to ignore' in a client's request can cause the server to skip
| processing another client's request, potentially leading to a denial
| of service.


CVE-2025-49179[4]:
| A flaw was found in the X Record extension. The
| RecordSanityCheckRegisterClients function does not check for an
| integer overflow when computing request length, which allows a
| client to bypass length checks.


CVE-2025-49180[5]:
| A flaw was found in the RandR extension, where the
| RRChangeProviderProperty function does not properly validate input.
| This issue leads to an integer overflow when computing the total
| size to allocate.

there is still the [6] change with the addition by Timo, which still
would be great to make it into trixie, in particular then we can start
not considering xwayland CVEs as well for tracking.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49175
    https://www.cve.org/CVERecord?id=CVE-2025-49175
[1] https://security-tracker.debian.org/tracker/CVE-2025-49176
    https://www.cve.org/CVERecord?id=CVE-2025-49176
[2] https://security-tracker.debian.org/tracker/CVE-2025-49177
    https://www.cve.org/CVERecord?id=CVE-2025-49177
[3] https://security-tracker.debian.org/tracker/CVE-2025-49178
    https://www.cve.org/CVERecord?id=CVE-2025-49178
[4] https://security-tracker.debian.org/tracker/CVE-2025-49179
    https://www.cve.org/CVERecord?id=CVE-2025-49179
[5] https://security-tracker.debian.org/tracker/CVE-2025-49180
    https://www.cve.org/CVERecord?id=CVE-2025-49180
[6] https://salsa.debian.org/xorg-team/wayland/xwayland/-/commit/84145e011fb98fea74878e07335bd22e9bfed531

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: [Git][xorg-team/lib/mesa][debian-experimental] d/rules: Enable iris and intel vulkan driver for loong64
Next by Date: [Git][xorg-team/xserver/xorg-server] Pushed new tag debian/2%21.1.18-1
Previous by thread: [Git][xorg-team/lib/mesa][debian-experimental] d/rules: Enable iris and intel vulkan driver for loong64
Next by thread: [Git][xorg-team/xserver/xorg-server] Pushed new tag debian/2%21.1.18-1
Index(es):
- Date
- Thread