diff --git a/SOURCES/xorg-CVE-2025-49175.patch b/SOURCES/xorg-CVE-2025-49175.patch deleted file mode 100644 index 04a412b..0000000 --- a/SOURCES/xorg-CVE-2025-49175.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 53e0de91e307870b6790690bd74cf30ac501de50 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 28 Mar 2025 09:43:52 +0100 -Subject: [PATCH xserver] render: Avoid 0 or less animated cursors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Animated cursors use a series of cursors that the client can set. - -By default, the Xserver assumes at least one cursor is specified -while a client may actually pass no cursor at all. - -That causes an out-of-bound read creating the animated cursor and a -crash of the Xserver: - - | Invalid read of size 8 - | at 0x5323F4: AnimCursorCreate (animcur.c:325) - | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd - | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) - | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | - | Invalid read of size 2 - | at 0x5323F7: AnimCursorCreate (animcur.c:325) - | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) - | by 0x52DC80: ProcRenderDispatch (render.c:1999) - | by 0x4A1E9D: Dispatch (dispatch.c:560) - | by 0x4B0169: dix_main (main.c:284) - | by 0x4287F5: main (stubmain.c:34) - | Address 0x8 is not stack'd, malloc'd or (recently) free'd - -To avoid the issue, check the number of cursors specified and return a -BadValue error in both the proc handler (early) and the animated cursor -creation (as this is a public function) if there is 0 or less cursor. - -CVE-2025-49175 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: José Expósito -(cherry picked from commit 9304e31035f97ddbfcc1d5f3c178da1d04a472ad) ---- - render/animcur.c | 3 +++ - render/render.c | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/render/animcur.c b/render/animcur.c -index ef27bda27..77942d846 100644 ---- a/render/animcur.c -+++ b/render/animcur.c -@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, - int rc = BadAlloc, i; - AnimCurPtr ac; - -+ if (ncursor <= 0) -+ return BadValue; -+ - for (i = 0; i < screenInfo.numScreens; i++) - if (!GetAnimCurScreen(screenInfo.screens[i])) - return BadImplementation; -diff --git a/render/render.c b/render/render.c -index 5bc2a204b..a8c2da056 100644 ---- a/render/render.c -+++ b/render/render.c -@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) - ncursor = - (client->req_len - - (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; -+ if (ncursor <= 0) -+ return BadValue; - cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); - if (!cursors) - return BadAlloc; --- -2.49.0 - diff --git a/SOURCES/xorg-CVE-2025-49176-1.patch b/SOURCES/xorg-CVE-2025-49176-1.patch deleted file mode 100644 index 8c6251d..0000000 --- a/SOURCES/xorg-CVE-2025-49176-1.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 7 Apr 2025 16:13:34 +0200 -Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The BigRequest extension allows request larger than the 16-bit length -limit. - -It uses integers for the request length and checks for the size not to -exceed the maxBigRequestSize limit, but does so after translating the -length to integer by multiplying the given size in bytes by 4. - -In doing so, it might overflow the integer size limit before actually -checking for the overflow, defeating the purpose of the test. - -To avoid the issue, make sure to check that the request size does not -overflow the maxBigRequestSize limit prior to any conversion. - -The caller Dispatch() function however expects the return value to be in -bytes, so we cannot just return the converted value in case of error, as -that would also overflow the integer size. - -To preserve the existing API, we use a negative value for the X11 error -code BadLength as the function only return positive values, 0 or -1 and -update the caller Dispatch() function to take that case into account to -return the error code to the offending client. - -CVE-2025-49176 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Michel Dänzer -(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa) ---- - dix/dispatch.c | 9 +++++---- - os/io.c | 4 ++++ - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/dix/dispatch.c b/dix/dispatch.c -index 6f4e349e0..15e63e22a 100644 ---- a/dix/dispatch.c -+++ b/dix/dispatch.c -@@ -518,9 +518,10 @@ Dispatch(void) - - /* now, finally, deal with client requests */ - result = ReadRequestFromClient(client); -- if (result <= 0) { -- if (result < 0) -- CloseDownClient(client); -+ if (result == 0) -+ break; -+ else if (result == -1) { -+ CloseDownClient(client); - break; - } - -@@ -541,7 +542,7 @@ Dispatch(void) - client->index, - client->requestBuffer); - #endif -- if (result > (maxBigRequestSize << 2)) -+ if (result < 0 || result > (maxBigRequestSize << 2)) - result = BadLength; - else { - result = XaceHookDispatch(client, client->majorOp); -diff --git a/os/io.c b/os/io.c -index 5b7fac349..5fc05821c 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) - needed = get_big_req_len(request, client); - } - client->req_len = needed; -+ if (needed > MAXINT >> 2) { -+ /* Check for potential integer overflow */ -+ return -(BadLength); -+ } - needed <<= 2; /* needed is in bytes now */ - } - if (gotnow < needed) { --- -2.49.0 - diff --git a/SOURCES/xorg-CVE-2025-49176-2.patch b/SOURCES/xorg-CVE-2025-49176-2.patch deleted file mode 100644 index 7bd7f65..0000000 --- a/SOURCES/xorg-CVE-2025-49176-2.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 18 Jun 2025 08:39:02 +0200 -Subject: [PATCH] os: Check for integer overflow on BigRequest length - -Check for another possible integer overflow once we get a complete xReq -with BigRequest. - -Related to CVE-2025-49176 - -Signed-off-by: Olivier Fourdan -Suggested-by: Peter Harris ---- - os/io.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/os/io.c b/os/io.c -index e7b76b9cea..167b40a720 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client) - needed = get_big_req_len(request, client); - } - client->req_len = needed; -+ if (needed > MAXINT >> 2) -+ return -(BadLength); - needed <<= 2; - } - if (gotnow < needed) { --- -GitLab - diff --git a/SOURCES/xorg-CVE-2025-49178.patch b/SOURCES/xorg-CVE-2025-49178.patch deleted file mode 100644 index 8e4a5bc..0000000 --- a/SOURCES/xorg-CVE-2025-49178.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 90a13c564e7b9ba5c0d8d92acac80689cd051898 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 28 Apr 2025 10:46:03 +0200 -Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input - buffer - -When reading requests from the clients, the input buffer might be shared -and used between different clients. - -If a given client sends a full request with non-zero bytes to ignore, -the bytes to ignore may still be non-zero even though the request is -full, in which case the buffer could be shared with another client who's -request will not be processed because of those bytes to ignore, leading -to a possible hang of the other client request. - -To avoid the issue, make sure we have zero bytes to ignore left in the -input request when sharing the input buffer with another client. - -CVE-2025-49178 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -(cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3) ---- - os/io.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/os/io.c b/os/io.c -index 5fc05821c..26f9161ef 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client) - */ - - gotnow -= needed; -- if (!gotnow) -+ if (!gotnow && !oci->ignoreBytes) - AvailableInput = oc; - if (move_header) { - if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { --- -2.49.0 - diff --git a/SOURCES/xorg-CVE-2025-49179.patch b/SOURCES/xorg-CVE-2025-49179.patch deleted file mode 100644 index 66761ec..0000000 --- a/SOURCES/xorg-CVE-2025-49179.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9a4f3012ba5752be1634455a3f0c7c125eabb328 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 28 Apr 2025 11:47:15 +0200 -Subject: [PATCH xserver] record: Check for overflow in - RecordSanityCheckRegisterClients() - -The RecordSanityCheckRegisterClients() checks for the request length, -but does not check for integer overflow. - -A client might send a very large value for either the number of clients -or the number of protocol ranges that will cause an integer overflow in -the request length computation, defeating the check for request length. - -To avoid the issue, explicitly check the number of clients against the -limit of clients (which is much lower than an maximum integer value) and -the number of protocol ranges (multiplied by the record length) do not -exceed the maximum integer value. - -This way, we ensure that the final computation for the request length -will not overflow the maximum integer limit. - -CVE-2025-49179 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -(cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00) ---- - record/record.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/record/record.c b/record/record.c -index e123867a7..018e53f81 100644 ---- a/record/record.c -+++ b/record/record.c -@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. - #include "inputstr.h" - #include "eventconvert.h" - #include "scrnintstr.h" -+#include "opaque.h" - - #include - #include -@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, - int i; - XID recordingClient; - -+ /* LimitClients is 2048 at max, way less that MAXINT */ -+ if (stuff->nClients > LimitClients) -+ return BadValue; -+ -+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) -+ return BadValue; -+ - if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != - 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) - return BadLength; --- -2.49.0 - diff --git a/SOURCES/xorg-CVE-2025-49180.patch b/SOURCES/xorg-CVE-2025-49180.patch deleted file mode 100644 index 5aed023..0000000 --- a/SOURCES/xorg-CVE-2025-49180.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5e7a3a955853218536ba4a7e696360aab0064206 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Tue, 20 May 2025 15:18:19 +0200 -Subject: [PATCH xserver 1/2] randr: Check for overflow in - RRChangeProviderProperty() - -A client might send a request causing an integer overflow when computing -the total size to allocate in RRChangeProviderProperty(). - -To avoid the issue, check that total length in bytes won't exceed the -maximum integer value. - -CVE-2025-49180 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -(cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699) ---- - randr/rrproviderproperty.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c -index 90c5a9a93..0aa35ad87 100644 ---- a/randr/rrproviderproperty.c -+++ b/randr/rrproviderproperty.c -@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, - - if (mode == PropModeReplace || len > 0) { - void *new_data = NULL, *old_data = NULL; -- -+ if (total_len > MAXINT / size_in_bytes) -+ return BadValue; - total_size = total_len * size_in_bytes; - new_value.data = (void *) malloc(total_size); - if (!new_value.data && total_size) { --- -2.49.0 - diff --git a/SOURCES/xorg-CVE-2025-62229.patch b/SOURCES/xorg-CVE-2025-62229.patch new file mode 100644 index 0000000..7b164fa --- /dev/null +++ b/SOURCES/xorg-CVE-2025-62229.patch @@ -0,0 +1,88 @@ +From 4d07b16328bc9c9d4f6c4c1a9a522d64bf09deda Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 2 Jul 2025 09:46:22 +0200 +Subject: [PATCH xserver 1/4] present: Fix use-after-free in + present_create_notifies() + +Using the Present extension, if an error occurs while processing and +adding the notifications after presenting a pixmap, the function +present_create_notifies() will clean up and remove the notifications +it added. + +However, there are two different code paths that can lead to an error +creating the notify, one being before the notify is being added to the +list, and another one after the notify is added. + +When the error occurs before it's been added, it removes the elements up +to the last added element, instead of the actual number of elements +which were added. + +As a result, in case of error, as with an invalid window for example, it +leaves a dangling pointer to the last element, leading to a use after +free case later: + + | Invalid write of size 8 + | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) + | by 0x534A56: present_destroy_window (present_screen.c:107) + | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) + | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) + | by 0x51EAC4: damageDestroyWindow (damage.c:1592) + | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) + | by 0x4EAC55: FreeWindowResources (window.c:1023) + | by 0x4EAF59: DeleteWindow (window.c:1091) + | by 0x4DE59A: doFreeResource (resource.c:890) + | by 0x4DEFB2: FreeClientResources (resource.c:1156) + | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) + | by 0x5DCC78: ClientReady (connection.c:603) + | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd + | at 0x4841E43: free (vg_replace_malloc.c:989) + | by 0x5363DD: present_destroy_notifies (present_notify.c:111) + | by 0x53638D: present_create_notifies (present_notify.c:100) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48463F3: calloc (vg_replace_malloc.c:1675) + | by 0x5362A1: present_create_notifies (present_notify.c:81) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + +To fix the issue, count and remove the actual number of notify elements +added in case of error. + +CVE-2025-62229, ZDI-CAN-27238 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0) + +Part-of: +--- + present/present_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/present/present_notify.c b/present/present_notify.c +index 445954998..00b3b68bd 100644 +--- a/present/present_notify.c ++++ b/present/present_notify.c +@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no + if (status != Success) + goto bail; + +- added = i; ++ added++; + } + return Success; + +-- +2.51.1 + diff --git a/SOURCES/xorg-CVE-2025-62230-1.patch b/SOURCES/xorg-CVE-2025-62230-1.patch new file mode 100644 index 0000000..36e1907 --- /dev/null +++ b/SOURCES/xorg-CVE-2025-62230-1.patch @@ -0,0 +1,59 @@ +From a1d4f04bbd46957af854bea3b23d0dcb31b38afd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:55:06 +0200 +Subject: [PATCH xserver 2/4] xkb: Make the RT_XKBCLIENT resource private +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, the resource in only available to the xkb.c source file. + +In preparation for the next commit, to be able to free the resources +from XkbRemoveResourceClient(), make that variable private instead. + +This is related to: + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f) + +Part-of: +--- + include/xkbsrv.h | 2 ++ + xkb/xkb.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/xkbsrv.h b/include/xkbsrv.h +index bd747856b..d801cd4b8 100644 +--- a/include/xkbsrv.h ++++ b/include/xkbsrv.h +@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include "inputstr.h" + #include "events.h" + ++extern RESTYPE RT_XKBCLIENT; ++ + typedef struct _XkbInterest { + DeviceIntPtr dev; + ClientPtr client; +diff --git a/xkb/xkb.c b/xkb/xkb.c +index ac154e200..6c102af0a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode; + CARD32 xkbDebugFlags = 0; + static CARD32 xkbDebugCtrls = 0; + +-static RESTYPE RT_XKBCLIENT; ++RESTYPE RT_XKBCLIENT = 0; + + /***====================================================================***/ + +-- +2.51.1 + diff --git a/SOURCES/xorg-CVE-2025-62230-2.patch b/SOURCES/xorg-CVE-2025-62230-2.patch new file mode 100644 index 0000000..876c987 --- /dev/null +++ b/SOURCES/xorg-CVE-2025-62230-2.patch @@ -0,0 +1,89 @@ +From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:58:57 +0200 +Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing + XkbInterest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +XkbRemoveResourceClient() would free the XkbInterest data associated +with the device, but not the resource associated with it. + +As a result, when the client terminates, the resource delete function +gets called and accesses already freed memory: + + | Invalid read of size 8 + | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) + | by 0x5B3391: XkbClientGone (xkb.c:7094) + | by 0x4DF138: doFreeResource (resource.c:890) + | by 0x4DFB50: FreeClientResources (resource.c:1156) + | by 0x4A9A59: CloseDownClient (dispatch.c:3550) + | by 0x5E0A53: ClientReady (connection.c:601) + | by 0x5E4FEF: ospoll_wait (ospoll.c:657) + | by 0x5DC834: WaitForSomething (WaitFor.c:206) + | by 0x4A1BA5: Dispatch (dispatch.c:491) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd + | at 0x4842E43: free (vg_replace_malloc.c:989) + | by 0x49C1A6: CloseDevice (devices.c:1067) + | by 0x49C522: CloseOneDevice (devices.c:1193) + | by 0x49C6E4: RemoveDevice (devices.c:1244) + | by 0x5873D4: remove_master (xichangehierarchy.c:348) + | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48473F3: calloc (vg_replace_malloc.c:1675) + | by 0x49A118: AddInputDevice (devices.c:262) + | by 0x4A0E58: AllocDevicePair (devices.c:2846) + | by 0x5866EE: add_master (xichangehierarchy.c:153) + | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + +To avoid that issue, make sure to free the resources when freeing the +device XkbInterest data. + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be) + +Part-of: +--- + xkb/xkbEvents.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c +index f8f65d4a7..7c669c93e 100644 +--- a/xkb/xkbEvents.c ++++ b/xkb/xkbEvents.c +@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = interest->autoCtrls; + autoValues = interest->autoCtrlValues; + client = interest->client; ++ FreeResource(interest->resource, RT_XKBCLIENT); + free(interest); + found = TRUE; + } +@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = victim->autoCtrls; + autoValues = victim->autoCtrlValues; + client = victim->client; ++ FreeResource(victim->resource, RT_XKBCLIENT); + free(victim); + found = TRUE; + } +-- +2.51.1 + diff --git a/SOURCES/xorg-CVE-2025-62231.patch b/SOURCES/xorg-CVE-2025-62231.patch new file mode 100644 index 0000000..1fa65d0 --- /dev/null +++ b/SOURCES/xorg-CVE-2025-62231.patch @@ -0,0 +1,49 @@ +From c7beaec76c556870e5566b84dce7099bf28f9502 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 16:30:29 +0200 +Subject: [PATCH xserver 4/4] xkb: Prevent overflow in XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The XkbCompatMap structure stores its "num_si" and "size_si" fields +using an unsigned short. + +However, the function _XkbSetCompatMap() will store the sum of the +input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and +"size_si" without first checking if the sum overflows the maximum +unsigned short value, leading to a possible overflow. + +To avoid the issue, check whether the sum does not exceed the maximum +unsigned short value, or return a "BadValue" error otherwise. + +CVE-2025-62231, ZDI-CAN-27560 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470) + +Part-of: +--- + xkb/xkb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 6c102af0a..a77fe7ff0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + ++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) ++ return BadValue; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +-- +2.51.1 + diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 9d6855f..a78ec36 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.15.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -55,12 +55,13 @@ Patch209: xorg-CVE-2025-26601.patch Patch210: xorg-CVE-2025-26601-2.patch Patch211: xorg-CVE-2025-26601-3.patch Patch212: xorg-CVE-2025-26601-4.patch -Patch213: xorg-CVE-2025-49175.patch -Patch214: xorg-CVE-2025-49176-1.patch -Patch215: xorg-CVE-2025-49176-2.patch -Patch216: xorg-CVE-2025-49178.patch -Patch217: xorg-CVE-2025-49179.patch -Patch218: xorg-CVE-2025-49180.patch +# CVE-2025-62229: Use-after-free in XPresentNotify structures creation +Patch213: xorg-CVE-2025-62229.patch +# CVE-2025-62230: Use-after-free in Xkb client resource removal +Patch214: xorg-CVE-2025-62230-1.patch +Patch215: xorg-CVE-2025-62230-2.patch +# CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap() +Patch216: xorg-CVE-2025-62231.patch BuildRequires: make BuildRequires: gcc-c++ @@ -236,12 +237,10 @@ cat ../xserver120.patch | patch -p1 %patch -P210 -p1 -b .xorg-CVE-2025-26601-2 %patch -P211 -p1 -b .xorg-CVE-2025-26601-3 %patch -P212 -p1 -b .xorg-CVE-2025-26601-4 -%patch -P213 -p1 -b .xorg-CVE-2025-49175 -%patch -P214 -p1 -b .xorg-CVE-2025-49176-1 -%patch -P215 -p1 -b .xorg-CVE-2025-49176-2 -%patch -P216 -p1 -b .xorg-CVE-2025-49178 -%patch -P217 -p1 -b .xorg-CVE-2025-49179 -%patch -P218 -p1 -b .xorg-CVE-2025-49180 +%patch -P213 -p1 -b .xorg-CVE-2025-62229 +%patch -P214 -p1 -b .xorg-CVE-2025-62230-1 +%patch -P215 -p1 -b .xorg-CVE-2025-62230-2 +%patch -P216 -p1 -b .xorg-CVE-2025-62231 popd %patch -P1 -p1 -b .use-gnome-as-default-session @@ -409,6 +408,16 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Fri Oct 31 2025 Jan Grulich - 1.15.0-8 +- Fix CVE-2025-62229: xorg-x11-server: Use-after-free in XPresentNotify structures creation + Resolves: RHEL-119979 + +- Fix CVE-2025-62230: xorg-x11-server: Use-after-free in Xkb client resource removal + Resolves: RHEL-120001 + +- Fix CVE-2025-62231: xorg-x11-server: Value overflow in Xkb extension XkbSetCompatMap() + Resolves: RHEL-120762 + * Wed Jun 18 2025 Jan Grulich - 1.15.0-7 - Additional fix to CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension Resolves: RHEL-97294