Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at 2025-06-23 14:55:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xorg-x11-server (Old)
and /work/SRC/openSUSE:Factory/.xorg-x11-server.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server"
Mon Jun 23 14:55:56 2025 rev:443 rq:1287668 version:21.1.15
Changes:
--------
--- /work/SRC/openSUSE:Factory/xorg-x11-server/xorg-x11-server.changes
2025-06-18 19:30:34.555132563 +0200
+++
/work/SRC/openSUSE:Factory/.xorg-x11-server.new.7067/xorg-x11-server.changes
2025-06-23 14:56:31.279945405 +0200
@@ -1,0 +2,6 @@
+Sun Jun 22 11:55:17 UTC 2025 - Stefan Dirsch <[email protected]>
+
+- U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
+ * additional fix for CVE-2025-49176
+
+-------------------------------------------------------------------
New:
----
U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
----------(New B)----------
New:
- U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
* additional fix for CVE-2025-49176
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.XqDvYV/_old 2025-06-23 14:56:37.820218915 +0200
+++ /var/tmp/diff_new_pack.XqDvYV/_new 2025-06-23 14:56:37.824219083 +0200
@@ -266,6 +266,7 @@
Patch1244089:
U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
Patch1244090:
U_CVE-2025-49180-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
Patch1244091:
U_CVE-2025-49180-xfree86-Check-for-RandR-provider-functions.patch
+Patch1244092:
U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch
%description
This package contains the X.Org Server.
@@ -444,6 +445,7 @@
%patch -P 1244089 -p1
%patch -P 1244090 -p1
%patch -P 1244091 -p1
+%patch -P 1244092 -p1
%build
# We have some -z now related errors during X default startup (boo#1197994):
++++++
U_CVE-2025-49176-os-Check-for-integer-overflow-on-BigRequest-length.patch ++++++
>From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <[email protected]>
Date: Wed, 18 Jun 2025 08:39:02 +0200
Subject: [PATCH] os: Check for integer overflow on BigRequest length
Check for another possible integer overflow once we get a complete xReq
with BigRequest.
Related to CVE-2025-49176
Signed-off-by: Olivier Fourdan <[email protected]>
Suggested-by: Peter Harris <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
---
os/io.c | 2 ++
1 file changed, 2 insertions(+)
Index: xorg-server-21.1.15/os/io.c
===================================================================
--- xorg-server-21.1.15.orig/os/io.c
+++ xorg-server-21.1.15/os/io.c
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client);
}
client->req_len = needed;
+ if (needed > MAXINT >> 2)
+ return -(BadLength);
needed <<= 2;
}
if (gotnow < needed) {
