From 8996d74184d0ce7376b7d3950287c750ed85ff65 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Wed, 18 Jun 2025 16:00:45 +0200 Subject: [PATCH] Additional fix to CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension Resolves: RHEL-97294 --- tigervnc.spec | 24 ++++++++------ ...49176.patch => xorg-CVE-2025-49176-1.patch | 0 xorg-CVE-2025-49176-2.patch | 32 +++++++++++++++++++ 3 files changed, 47 insertions(+), 9 deletions(-) rename xorg-CVE-2025-49176.patch => xorg-CVE-2025-49176-1.patch (100%) create mode 100644 xorg-CVE-2025-49176-2.patch diff --git a/tigervnc.spec b/tigervnc.spec index 10aedaa..9d6855f 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.15.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -56,10 +56,11 @@ Patch210: xorg-CVE-2025-26601-2.patch Patch211: xorg-CVE-2025-26601-3.patch Patch212: xorg-CVE-2025-26601-4.patch Patch213: xorg-CVE-2025-49175.patch -Patch214: xorg-CVE-2025-49176.patch -Patch215: xorg-CVE-2025-49178.patch -Patch216: xorg-CVE-2025-49179.patch -Patch217: xorg-CVE-2025-49180.patch +Patch214: xorg-CVE-2025-49176-1.patch +Patch215: xorg-CVE-2025-49176-2.patch +Patch216: xorg-CVE-2025-49178.patch +Patch217: xorg-CVE-2025-49179.patch +Patch218: xorg-CVE-2025-49180.patch BuildRequires: make BuildRequires: gcc-c++ @@ -236,10 +237,11 @@ cat ../xserver120.patch | patch -p1 %patch -P211 -p1 -b .xorg-CVE-2025-26601-3 %patch -P212 -p1 -b .xorg-CVE-2025-26601-4 %patch -P213 -p1 -b .xorg-CVE-2025-49175 -%patch -P214 -p1 -b .xorg-CVE-2025-49176 -%patch -P215 -p1 -b .xorg-CVE-2025-49178 -%patch -P216 -p1 -b .xorg-CVE-2025-49179 -%patch -P217 -p1 -b .xorg-CVE-2025-49180 +%patch -P214 -p1 -b .xorg-CVE-2025-49176-1 +%patch -P215 -p1 -b .xorg-CVE-2025-49176-2 +%patch -P216 -p1 -b .xorg-CVE-2025-49178 +%patch -P217 -p1 -b .xorg-CVE-2025-49179 +%patch -P218 -p1 -b .xorg-CVE-2025-49180 popd %patch -P1 -p1 -b .use-gnome-as-default-session @@ -407,6 +409,10 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Wed Jun 18 2025 Jan Grulich - 1.15.0-7 +- Additional fix to CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension + Resolves: RHEL-97294 + * Tue Jun 17 2025 Jan Grulich - 1.15.0-6 - Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors Resolves: RHEL-97268 diff --git a/xorg-CVE-2025-49176.patch b/xorg-CVE-2025-49176-1.patch similarity index 100% rename from xorg-CVE-2025-49176.patch rename to xorg-CVE-2025-49176-1.patch diff --git a/xorg-CVE-2025-49176-2.patch b/xorg-CVE-2025-49176-2.patch new file mode 100644 index 0000000..7bd7f65 --- /dev/null +++ b/xorg-CVE-2025-49176-2.patch @@ -0,0 +1,32 @@ +From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index e7b76b9cea..167b40a720 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +GitLab +