rpms/tigervnc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-62229: xorg-x11-server: Use-after-free in XPresentNotify structures creation

Browse Source 
Resolves: RHEL-119989

Fix CVE-2025-62230: xorg-x11-server: Use-after-free in Xkb client resource removal
Resolves: RHEL-120009

Fix CVE-2025-62231: xorg-x11-server: Value overflow in Xkb extension XkbSetCompatMap()
Resolves: RHEL-120770
This commit is contained in:
Jan Grulich 2025-10-31 10:06:59 +01:00
parent 8e02c2f3a3
commit d815f4c4c9
5 changed files with 296 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tigervnc.spec
View File

@ -5,7 +5,7 @@
Name: tigervnc
Version: 1.15.0
Release: 5%{?dist}
Release: 7%{?dist}
Summary: A TigerVNC remote display system
%global _hardened_build 1
@ -398,6 +398,16 @@ fi
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog
* Fri Oct 31 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-7
- Fix CVE-2025-62229: xorg-x11-server: Use-after-free in XPresentNotify structures creation
Resolves: RHEL-119989
- Fix CVE-2025-62230: xorg-x11-server: Use-after-free in Xkb client resource removal
Resolves: RHEL-120009
- Fix CVE-2025-62231: xorg-x11-server: Value overflow in Xkb extension XkbSetCompatMap()
Resolves: RHEL-120770
* Mon Jun 23 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-5
- Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors
Resolves: RHEL-97284

88
xorg-CVE-2025-62229.patch Normal file
View File

@ -0,0 +1,88 @@
From 4d07b16328bc9c9d4f6c4c1a9a522d64bf09deda Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 2 Jul 2025 09:46:22 +0200
Subject: [PATCH xserver 1/4] present: Fix use-after-free in
present_create_notifies()
Using the Present extension, if an error occurs while processing and
adding the notifications after presenting a pixmap, the function
present_create_notifies() will clean up and remove the notifications
it added.
However, there are two different code paths that can lead to an error
creating the notify, one being before the notify is being added to the
list, and another one after the notify is added.
When the error occurs before it's been added, it removes the elements up
to the last added element, instead of the actual number of elements
which were added.
As a result, in case of error, as with an invalid window for example, it
leaves a dangling pointer to the last element, leading to a use after
free case later:
| Invalid write of size 8
| at 0x5361D5: present_clear_window_notifies (present_notify.c:42)
| by 0x534A56: present_destroy_window (present_screen.c:107)
| by 0x41E441: xwl_destroy_window (xwayland-window.c:1959)
| by 0x4F9EC9: compDestroyWindow (compwindow.c:622)
| by 0x51EAC4: damageDestroyWindow (damage.c:1592)
| by 0x4FDC29: DbeDestroyWindow (dbe.c:1291)
| by 0x4EAC55: FreeWindowResources (window.c:1023)
| by 0x4EAF59: DeleteWindow (window.c:1091)
| by 0x4DE59A: doFreeResource (resource.c:890)
| by 0x4DEFB2: FreeClientResources (resource.c:1156)
| by 0x4A9AFB: CloseDownClient (dispatch.c:3567)
| by 0x5DCC78: ClientReady (connection.c:603)
| Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd
| at 0x4841E43: free (vg_replace_malloc.c:989)
| by 0x5363DD: present_destroy_notifies (present_notify.c:111)
| by 0x53638D: present_create_notifies (present_notify.c:100)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48463F3: calloc (vg_replace_malloc.c:1675)
| by 0x5362A1: present_create_notifies (present_notify.c:81)
| by 0x5368E9: proc_present_pixmap_common (present_request.c:164)
| by 0x536A7D: proc_present_pixmap (present_request.c:189)
| by 0x536FA9: proc_present_dispatch (present_request.c:337)
| by 0x4A1E4E: Dispatch (dispatch.c:561)
| by 0x4B00F1: dix_main (main.c:284)
| by 0x42879D: main (stubmain.c:34)
To fix the issue, count and remove the actual number of notify elements
added in case of error.
CVE-2025-62229, ZDI-CAN-27238
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
present/present_notify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/present/present_notify.c b/present/present_notify.c
index 445954998..00b3b68bd 100644
--- a/present/present_notify.c
+++ b/present/present_notify.c
@@ -90,7 +90,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no
if (status != Success)
goto bail;
- added = i;
+ added++;
}
return Success;
--
2.51.1

59
xorg-CVE-2025-62230-1.patch Normal file
View File

@ -0,0 +1,59 @@
From a1d4f04bbd46957af854bea3b23d0dcb31b38afd Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 15:55:06 +0200
Subject: [PATCH xserver 2/4] xkb: Make the RT_XKBCLIENT resource private
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently, the resource in only available to the xkb.c source file.
In preparation for the next commit, to be able to free the resources
from XkbRemoveResourceClient(), make that variable private instead.
This is related to:
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
include/xkbsrv.h | 2 ++
xkb/xkb.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/xkbsrv.h b/include/xkbsrv.h
index bd747856b..d801cd4b8 100644
--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include "inputstr.h"
#include "events.h"
+extern RESTYPE RT_XKBCLIENT;
+
typedef struct _XkbInterest {
DeviceIntPtr dev;
ClientPtr client;
diff --git a/xkb/xkb.c b/xkb/xkb.c
index ac154e200..6c102af0a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -50,7 +50,7 @@ int XkbKeyboardErrorCode;
CARD32 xkbDebugFlags = 0;
static CARD32 xkbDebugCtrls = 0;
-static RESTYPE RT_XKBCLIENT;
+RESTYPE RT_XKBCLIENT = 0;
/***====================================================================***/
--
2.51.1

89
xorg-CVE-2025-62230-2.patch Normal file
View File

@ -0,0 +1,89 @@
From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 15:58:57 +0200
Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
XkbInterest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
XkbRemoveResourceClient() would free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
gets called and accesses already freed memory:
| Invalid read of size 8
| at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
| by 0x5B3391: XkbClientGone (xkb.c:7094)
| by 0x4DF138: doFreeResource (resource.c:890)
| by 0x4DFB50: FreeClientResources (resource.c:1156)
| by 0x4A9A59: CloseDownClient (dispatch.c:3550)
| by 0x5E0A53: ClientReady (connection.c:601)
| by 0x5E4FEF: ospoll_wait (ospoll.c:657)
| by 0x5DC834: WaitForSomething (WaitFor.c:206)
| by 0x4A1BA5: Dispatch (dispatch.c:491)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
| at 0x4842E43: free (vg_replace_malloc.c:989)
| by 0x49C1A6: CloseDevice (devices.c:1067)
| by 0x49C522: CloseOneDevice (devices.c:1193)
| by 0x49C6E4: RemoveDevice (devices.c:1244)
| by 0x5873D4: remove_master (xichangehierarchy.c:348)
| by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
| Block was alloc'd at
| at 0x48473F3: calloc (vg_replace_malloc.c:1675)
| by 0x49A118: AddInputDevice (devices.c:262)
| by 0x4A0E58: AllocDevicePair (devices.c:2846)
| by 0x5866EE: add_master (xichangehierarchy.c:153)
| by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
| by 0x579BF1: ProcIDispatch (extinit.c:390)
| by 0x4A1D85: Dispatch (dispatch.c:551)
| by 0x4B0070: dix_main (main.c:277)
| by 0x4285E7: main (stubmain.c:34)
To avoid that issue, make sure to free the resources when freeing the
device XkbInterest data.
CVE-2025-62230, ZDI-CAN-27545
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
xkb/xkbEvents.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
index f8f65d4a7..7c669c93e 100644
--- a/xkb/xkbEvents.c
+++ b/xkb/xkbEvents.c
@@ -1055,6 +1055,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
autoCtrls = interest->autoCtrls;
autoValues = interest->autoCtrlValues;
client = interest->client;
+ FreeResource(interest->resource, RT_XKBCLIENT);
free(interest);
found = TRUE;
}
@@ -1066,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
autoCtrls = victim->autoCtrls;
autoValues = victim->autoCtrlValues;
client = victim->client;
+ FreeResource(victim->resource, RT_XKBCLIENT);
free(victim);
found = TRUE;
}
--
2.51.1

49
xorg-CVE-2025-62231.patch Normal file
View File

@ -0,0 +1,49 @@
From c7beaec76c556870e5566b84dce7099bf28f9502 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 10 Sep 2025 16:30:29 +0200
Subject: [PATCH xserver 4/4] xkb: Prevent overflow in XkbSetCompatMap()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
---
xkb/xkb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 6c102af0a..a77fe7ff0 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -2990,6 +2990,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
XkbSymInterpretPtr sym;
unsigned int skipped = 0;
+ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX)
+ return BadValue;
if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
--
2.51.1