Version in base suite: 21.1.7-3+deb12u9 Base version: xorg-server_21.1.7-3+deb12u9 Target version: xorg-server_21.1.7-3+deb12u10 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xorg-server/xorg-server_21.1.7-3+deb12u9.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xorg-server/xorg-server_21.1.7-3+deb12u10.dsc debian/patches/CVE-2025-49175/0001-render-Avoid-0-or-less-animated-cursors.patch | 87 +++++++++ debian/patches/CVE-2025-49176/0001-os-Do-not-overflow-the-integer-size-with-BigRequest.patch | 88 ++++++++++ debian/patches/CVE-2025-49176/0002-os-Check-for-integer-overflow-on-BigRequest-length.patch | 35 +++ debian/patches/CVE-2025-49177/0001-xfixes-Check-request-length-for-SetClientDisconnectM.patch | 51 +++++ debian/patches/CVE-2025-49178/0001-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch | 46 +++++ debian/patches/CVE-2025-49179/0001-record-Check-for-overflow-in-RecordSanityCheckRegist.patch | 62 +++++++ debian/patches/CVE-2025-49180/0001-randr-Check-for-overflow-in-RRChangeProviderProperty.patch | 41 ++++ debian/patches/CVE-2025-49180/0002-xfree86-Check-for-RandR-provider-functions.patch | 48 +++++ xorg-server-21.1.7/debian/changelog | 15 + xorg-server-21.1.7/debian/patches/series | 8 10 files changed, 481 insertions(+) diff -u xorg-server-21.1.7/debian/changelog xorg-server-21.1.7/debian/changelog --- xorg-server-21.1.7/debian/changelog +++ xorg-server-21.1.7/debian/changelog @@ -1,3 +1,18 @@ +xorg-server (2:21.1.7-3+deb12u10) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * render: Avoid 0 or less animated cursors (CVE-2025-49175) + * os: Do not overflow the integer size with BigRequest (CVE-2025-49176) + * xfixes: Check request length for SetClientDisconnectMode (CVE-2025-49177) + * os: Account for bytes to ignore when sharing input buffer (CVE-2025-49178) + * record: Check for overflow in RecordSanityCheckRegisterClients() + (CVE-2025-49179) + * randr: Check for overflow in RRChangeProviderProperty() (CVE-2025-49180) + * xfree86: Check for RandR provider functions (CVE-2025-49180) + * os: Check for integer overflow on BigRequest length (CVE-2025-49176) + + -- Salvatore Bonaccorso Fri, 20 Jun 2025 14:46:37 +0200 + xorg-server (2:21.1.7-3+deb12u9) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -u xorg-server-21.1.7/debian/patches/series xorg-server-21.1.7/debian/patches/series --- xorg-server-21.1.7/debian/patches/series +++ xorg-server-21.1.7/debian/patches/series @@ -37,3 +37,11 @@ CVE-2025-26601/0002-sync-Check-values-before-applying-changes.patch CVE-2025-26601/0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch CVE-2025-26601/0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch +CVE-2025-49175/0001-render-Avoid-0-or-less-animated-cursors.patch +CVE-2025-49176/0001-os-Do-not-overflow-the-integer-size-with-BigRequest.patch +CVE-2025-49176/0002-os-Check-for-integer-overflow-on-BigRequest-length.patch +CVE-2025-49177/0001-xfixes-Check-request-length-for-SetClientDisconnectM.patch +CVE-2025-49178/0001-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch +CVE-2025-49179/0001-record-Check-for-overflow-in-RecordSanityCheckRegist.patch +CVE-2025-49180/0001-randr-Check-for-overflow-in-RRChangeProviderProperty.patch +CVE-2025-49180/0002-xfree86-Check-for-RandR-provider-functions.patch only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49175/0001-render-Avoid-0-or-less-animated-cursors.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49175/0001-render-Avoid-0-or-less-animated-cursors.patch @@ -0,0 +1,87 @@ +From 53e0de91e307870b6790690bd74cf30ac501de50 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 28 Mar 2025 09:43:52 +0100 +Subject: [PATCH xserver] render: Avoid 0 or less animated cursors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +(cherry picked from commit 9304e31035f97ddbfcc1d5f3c178da1d04a472ad) +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda27..77942d846 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a204b..a8c2da056 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49176/0001-os-Do-not-overflow-the-integer-size-with-BigRequest.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49176/0001-os-Do-not-overflow-the-integer-size-with-BigRequest.patch @@ -0,0 +1,88 @@ +From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows request larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa) +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 6f4e349e0..15e63e22a 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -518,9 +518,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -541,7 +542,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 5b7fac349..5fc05821c 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49176/0002-os-Check-for-integer-overflow-on-BigRequest-length.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49176/0002-os-Check-for-integer-overflow-on-BigRequest-length.patch @@ -0,0 +1,35 @@ +From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1) + +Part-of: +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index 26f9161ef826..83986af9288e 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +2.50.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49177/0001-xfixes-Check-request-length-for-SetClientDisconnectM.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49177/0001-xfixes-Check-request-length-for-SetClientDisconnectM.patch @@ -0,0 +1,51 @@ +From 162419d86bee4bedaae63213e47674054309505e Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:05:36 +0200 +Subject: [PATCH xserver] xfixes: Check request length for + SetClientDisconnectMode + +The handler of XFixesSetClientDisconnectMode does not check the client +request length. + +A client could send a shorter request and read data from a former +request. + +Fix the issue by checking the request size matches. + +CVE-2025-49177 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Fixes: e167299f6 - xfixes: Add ClientDisconnectMode +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit fa1e4b0aa13a8586bb2ce8a8623948888f853d44) +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 77932725e..209e3d8af 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49178/0001-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49178/0001-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch @@ -0,0 +1,46 @@ +From 90a13c564e7b9ba5c0d8d92acac80689cd051898 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input + buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3) +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 5fc05821c..26f9161ef 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49179/0001-record-Check-for-overflow-in-RecordSanityCheckRegist.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49179/0001-record-Check-for-overflow-in-RecordSanityCheckRegist.patch @@ -0,0 +1,62 @@ +From 9a4f3012ba5752be1634455a3f0c7c125eabb328 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 11:47:15 +0200 +Subject: [PATCH xserver] record: Check for overflow in + RecordSanityCheckRegisterClients() + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00) +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867a7..018e53f81 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49180/0001-randr-Check-for-overflow-in-RRChangeProviderProperty.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49180/0001-randr-Check-for-overflow-in-RRChangeProviderProperty.patch @@ -0,0 +1,41 @@ +From 5e7a3a955853218536ba4a7e696360aab0064206 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH xserver 1/2] randr: Check for overflow in + RRChangeProviderProperty() + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699) +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a93..0aa35ad87 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.49.0 + only in patch2: unchanged: --- xorg-server-21.1.7.orig/debian/patches/CVE-2025-49180/0002-xfree86-Check-for-RandR-provider-functions.patch +++ xorg-server-21.1.7/debian/patches/CVE-2025-49180/0002-xfree86-Check-for-RandR-provider-functions.patch @@ -0,0 +1,48 @@ +From 7b8812854e67caf0edb30b38d19efed22e006751 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 14:59:46 +0200 +Subject: [PATCH xserver 2/2] xfree86: Check for RandR provider functions + +Changing XRandR provider properties if the driver has set no provider +function such as the modesetting driver will cause a NULL pointer +dereference and a crash of the Xorg server. + +Related to CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit cdda028b1fb22cca4226b52a8991da36cfe8fffa) +--- + hw/xfree86/modes/xf86RandR12.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c +index 39a38c741..8f97e79aa 100644 +--- a/hw/xfree86/modes/xf86RandR12.c ++++ b/hw/xfree86/modes/xf86RandR12.c +@@ -2142,7 +2142,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen, + /* If we don't have any property handler, then we don't care what the + * user is setting properties to. + */ +- if (config->provider_funcs->set_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->set_property == NULL) + return TRUE; + + /* +@@ -2160,7 +2161,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen, + ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen); + xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); + +- if (config->provider_funcs->get_property == NULL) ++ if (config->provider_funcs == NULL || ++ config->provider_funcs->get_property == NULL) + return TRUE; + + /* Should be safe even w/o vtSema */ +-- +2.49.0 +