16 changed files with 2 additions and 927 deletions
--- a/SOURCES/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
+++ b/SOURCES/0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
@ -1,45 +0,0 @@
 From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Fri, 22 Mar 2024 18:51:45 -0700
 Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length
 to send reply
 CVE-2024-31080
 Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
 Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
 ---
 Xi/xiselectev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
 index edcb8a0d3..ac1494987 100644
 --- a/Xi/xiselectev.c
 +++ b/Xi/xiselectev.c
@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
     InputClientsPtr others = NULL;
     xXIEventMask *evmask = NULL;
     DeviceIntPtr dev;
 +    uint32_t length;
     REQUEST(xXIGetSelectedEventsReq);
     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
         }
     }
 +    /* save the value before SRepXIGetSelectedEvents swaps it */
 +    length = reply.length;
     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
     if (reply.num_masks)
 -        WriteToClient(client, reply.length * 4, buffer);
 +        WriteToClient(client, length * 4, buffer);
     free(buffer);
     return Success;
 -- 
 2.44.0
--- a/SOURCES/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
+++ b/SOURCES/0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
@ -1,33 +0,0 @@
 From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Mon, 22 Jan 2024 14:22:12 +1000
 Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
 event
 Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
 ---
 dix/enterleave.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/dix/enterleave.c b/dix/enterleave.c
 index 7b7ba1098..c1e6ac600 100644
 --- a/dix/enterleave.c
 +++ b/dix/enterleave.c
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
     ev->first_valuator = first;
     switch (ev->num_valuators) {
     case 6:
 -        ev->valuator2 = v->axisVal[first + 5];
 +        ev->valuator5 = v->axisVal[first + 5];
     case 5:
 -        ev->valuator2 = v->axisVal[first + 4];
 +        ev->valuator4 = v->axisVal[first + 4];
     case 4:
 -        ev->valuator2 = v->axisVal[first + 3];
 +        ev->valuator3 = v->axisVal[first + 3];
     case 3:
         ev->valuator2 = v->axisVal[first + 2];
     case 2:
 -- 
 2.44.0
--- a/SOURCES/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
+++ b/SOURCES/0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
@ -1,54 +0,0 @@
 From e89edec497bac581ca9b614fb00c25365580f045 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Fri, 19 Jan 2024 13:05:51 +0100
 Subject: [PATCH] ephyr: Fix incompatible pointer type build error
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Fix a compilation error on 32 bits architectures with gcc 14:
  ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
  ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int,  void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32,  void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int,  void *)’} [-Wincompatible-pointer-types]
    154 |     adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
        |                               ^
  ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom,  INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int,  long int *, void *)’} [-Wincompatible-pointer-types]
    155 |     adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
        |                               ^
 Build error logs:
 https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
 Signed-off-by: José Expósito <jexposit@redhat.com>
 ---
 hw/kdrive/ephyr/ephyr_glamor_xv.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/hw/kdrive/ephyr/ephyr_glamor_xv.c b/hw/kdrive/ephyr/ephyr_glamor_xv.c
 index 4dd15cf41..b5eae48c8 100644
 --- a/hw/kdrive/ephyr/ephyr_glamor_xv.c
 +++ b/hw/kdrive/ephyr/ephyr_glamor_xv.c
@@ -50,16 +50,16 @@ ephyr_glamor_xv_stop_video(KdScreenInfo *screen, void *data, Bool cleanup)
 static int
 ephyr_glamor_xv_set_port_attribute(KdScreenInfo *screen,
 -                                   Atom attribute, INT32 value, void *data)
 +                                   Atom attribute, int value, void *data)
 {
 -    return glamor_xv_set_port_attribute(data, attribute, value);
 +    return glamor_xv_set_port_attribute(data, attribute, (INT32)value);
 }
 static int
 ephyr_glamor_xv_get_port_attribute(KdScreenInfo *screen,
 -                                   Atom attribute, INT32 *value, void *data)
 +                                   Atom attribute, int *value, void *data)
 {
 -    return glamor_xv_get_port_attribute(data, attribute, value);
 +    return glamor_xv_get_port_attribute(data, attribute, (INT32 *)value);
 }
 static void
 -- 
 2.43.0
--- a/SOURCES/0001-render-Avoid-0-or-less-animated-cursors.patch
+++ b/SOURCES/0001-render-Avoid-0-or-less-animated-cursors.patch
@ -1,89 +0,0 @@
 From 4c8e10312a721aa2f36048388284a2fd4ad97043 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 28 Mar 2025 09:43:52 +0100
 Subject: [PATCH xserver 1/7] render: Avoid 0 or less animated cursors
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Animated cursors use a series of cursors that the client can set.
 By default, the Xserver assumes at least one cursor is specified
 while a client may actually pass no cursor at all.
 That causes an out-of-bound read creating the animated cursor and a
 crash of the Xserver:
 | Invalid read of size 8
 |    at 0x5323F4: AnimCursorCreate (animcur.c:325)
 |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
 |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
 |    by 0x4A1E9D: Dispatch (dispatch.c:560)
 |    by 0x4B0169: dix_main (main.c:284)
 |    by 0x4287F5: main (stubmain.c:34)
 |  Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
 |    at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
 |    by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
 |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
 |    by 0x4A1E9D: Dispatch (dispatch.c:560)
 |    by 0x4B0169: dix_main (main.c:284)
 |    by 0x4287F5: main (stubmain.c:34)
 |
 | Invalid read of size 2
 |    at 0x5323F7: AnimCursorCreate (animcur.c:325)
 |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
 |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
 |    by 0x4A1E9D: Dispatch (dispatch.c:560)
 |    by 0x4B0169: dix_main (main.c:284)
 |    by 0x4287F5: main (stubmain.c:34)
 |  Address 0x8 is not stack'd, malloc'd or (recently) free'd
 To avoid the issue, check the number of cursors specified and return a
 BadValue error in both the proc handler (early) and the animated cursor
 creation (as this is a public function) if there is 0 or less cursor.
 CVE-2025-49175
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: José Expósito <jexposit@redhat.com>
 (cherry picked from commit 0885e0b26225c90534642fe911632ec0779eebee)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 render/animcur.c | 3 +++
 render/render.c  | 2 ++
 2 files changed, 5 insertions(+)
 diff --git a/render/animcur.c b/render/animcur.c
 index ef27bda27..77942d846 100644
 --- a/render/animcur.c
 +++ b/render/animcur.c
@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
     int rc = BadAlloc, i;
     AnimCurPtr ac;
 +    if (ncursor <= 0)
 +        return BadValue;
 +
     for (i = 0; i < screenInfo.numScreens; i++)
         if (!GetAnimCurScreen(screenInfo.screens[i]))
             return BadImplementation;
 diff --git a/render/render.c b/render/render.c
 index 456f156d4..e9bbac62d 100644
 --- a/render/render.c
 +++ b/render/render.c
@@ -1788,6 +1788,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
     ncursor =
         (client->req_len -
          (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
 +    if (ncursor <= 0)
 +        return BadValue;
     cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
     if (!cursors)
         return BadAlloc;
 -- 
 2.49.0
--- a/SOURCES/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
+++ b/SOURCES/0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
@ -1,72 +0,0 @@
 From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 5 Apr 2024 15:24:49 +0200
 Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
 ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
 then frees it using FreeGlyph() to decrease the reference count, after
 AddGlyph() has increased it.
 AddGlyph() however may chose to reuse an existing glyph if it's already
 in the glyphSet, and free the glyph that was given, in which case the
 caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
 already freed glyph, as reported by ASan:
  READ of size 4 thread T0
    #0 in FreeGlyph xserver/render/glyph.c:252
    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
    #2 in Dispatch xserver/dix/dispatch.c:546
    #3 in dix_main xserver/dix/main.c:271
    #4 in main xserver/dix/stubmain.c:34
    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 in __libc_start_main_impl ../csu/libc-start.c:360
    #7  (/usr/bin/Xwayland+0x44fe4)
  Address is located 0 bytes inside of 64-byte region
  freed by thread T0 here:
    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
    #2 in AddGlyph xserver/render/glyph.c:295
    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
    #4 in Dispatch xserver/dix/dispatch.c:546
    #5 in dix_main xserver/dix/main.c:271
    #6 in main xserver/dix/stubmain.c:34
    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  previously allocated by thread T0 here:
    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 in AllocateGlyph xserver/render/glyph.c:355
    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
    #3 in Dispatch xserver/dix/dispatch.c:546
    #4 in dix_main xserver/dix/main.c:271
    #5 in main xserver/dix/stubmain.c:34
    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
 To avoid that, make sure not to free the given glyph in AddGlyph().
 v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
 v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
 Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
 Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
 ---
 render/glyph.c | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/render/glyph.c b/render/glyph.c
 index 13991f8a1..5fa7f3b5b 100644
 --- a/render/glyph.c
 +++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
                       TRUE, glyph->sha1);
     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
 -        FreeGlyphPicture(glyph);
 -        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
         glyph = gr->glyph;
     }
     else if (gr->glyph != glyph) {
 -- 
 2.44.0
--- a/SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
+++ b/SOURCES/0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
@ -1,54 +0,0 @@
 From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Thu, 10 Oct 2024 10:37:28 +0200
 Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
 buffer.
 However, It didn't update its size properly. It updated `num_si` only,
 without updating `size_si`.
 This may lead to local privilege escalation if the server is run as root
 or remote code execution (e.g. x11 over ssh).
 CVE-2024-9632, ZDI-CAN-24756
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
 Reviewed-by: José Expósito <jexposit@redhat.com>
 ---
 xkb/xkb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/xkb/xkb.c b/xkb/xkb.c
 index f203270d5..70e8279aa 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
         XkbSymInterpretPtr sym;
         unsigned int skipped = 0;
 -        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
 -            compat->num_si = req->firstSI + req->nSI;
 +        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
 +            compat->num_si = compat->size_si = req->firstSI + req->nSI;
             compat->sym_interpret = reallocarray(compat->sym_interpret,
 -                                                 compat->num_si,
 +                                                 compat->size_si,
                                                  sizeof(XkbSymInterpretRec));
             if (!compat->sym_interpret) {
 -                compat->num_si = 0;
 +                compat->num_si = compat->size_si = 0;
                 return BadAlloc;
             }
         }
 -- 
 2.46.2
--- a/SOURCES/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
+++ b/SOURCES/0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
@ -1,43 +0,0 @@
 From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Fri, 22 Mar 2024 18:56:27 -0700
 Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length
 to send reply
 CVE-2024-31081
 Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
 ---
 Xi/xipassivegrab.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
 index c9ac2f855..896233bec 100644
 --- a/Xi/xipassivegrab.c
 +++ b/Xi/xipassivegrab.c
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
     GrabParameters param;
     void *tmp;
     int mask_len;
 +    uint32_t length;
     REQUEST(xXIPassiveGrabDeviceReq);
     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
         }
     }
 +    /* save the value before SRepXIPassiveGrabDevice swaps it */
 +    length = rep.length;
     WriteReplyToClient(client, sizeof(rep), &rep);
     if (rep.num_modifiers)
 -        WriteToClient(client, rep.length * 4, modifiers_failed);
 +        WriteToClient(client, length * 4, modifiers_failed);
  out:
     free(modifiers_failed);
 -- 
 2.44.0
--- a/SOURCES/0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
+++ b/SOURCES/0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
@ -1,91 +0,0 @@
 From a99c927aec4563101f574d0a65cd451dcdd7e012 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Mon, 7 Apr 2025 16:13:34 +0200
 Subject: [PATCH xserver 2/7] os: Do not overflow the integer size with
 BigRequest
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The BigRequest extension allows requests larger than the 16-bit length
 limit.
 It uses integers for the request length and checks for the size not to
 exceed the maxBigRequestSize limit, but does so after translating the
 length to integer by multiplying the given size in bytes by 4.
 In doing so, it might overflow the integer size limit before actually
 checking for the overflow, defeating the purpose of the test.
 To avoid the issue, make sure to check that the request size does not
 overflow the maxBigRequestSize limit prior to any conversion.
 The caller Dispatch() function however expects the return value to be in
 bytes, so we cannot just return the converted value in case of error, as
 that would also overflow the integer size.
 To preserve the existing API, we use a negative value for the X11 error
 code BadLength as the function only return positive values, 0 or -1 and
 update the caller Dispatch() function to take that case into account to
 return the error code to the offending client.
 CVE-2025-49176
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
 (cherry picked from commit 03731b326a80b582e48d939fe62cb1e2b10400d9)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 dix/dispatch.c | 9 +++++----
 os/io.c        | 4 ++++
 2 files changed, 9 insertions(+), 4 deletions(-)
 diff --git a/dix/dispatch.c b/dix/dispatch.c
 index a33bfaa9e..14ccdc57a 100644
 --- a/dix/dispatch.c
 +++ b/dix/dispatch.c
@@ -447,9 +447,10 @@ Dispatch(void)
                 /* now, finally, deal with client requests */
                 result = ReadRequestFromClient(client);
 -                if (result <= 0) {
 -                    if (result < 0)
 -                        CloseDownClient(client);
 +                if (result == 0)
 +                    break;
 +                else if (result == -1) {
 +                    CloseDownClient(client);
                     break;
                 }
@@ -470,7 +471,7 @@ Dispatch(void)
                                           client->index,
                                           client->requestBuffer);
 #endif
 -                if (result > (maxBigRequestSize << 2))
 +                if (result < 0 || result > (maxBigRequestSize << 2))
                     result = BadLength;
                 else {
                     result = XaceHookDispatch(client, client->majorOp);
 diff --git a/os/io.c b/os/io.c
 index 939f51743..a05300869 100644
 --- a/os/io.c
 +++ b/os/io.c
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
                 needed = get_big_req_len(request, client);
         }
         client->req_len = needed;
 +        if (needed > MAXINT >> 2) {
 +            /* Check for potential integer overflow */
 +            return -(BadLength);
 +        }
         needed <<= 2;           /* needed is in bytes now */
     }
     if (gotnow < needed) {
 -- 
 2.49.0
--- a/SOURCES/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
+++ b/SOURCES/0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
@ -1,47 +0,0 @@
 From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Fri, 22 Mar 2024 19:07:34 -0700
 Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
 length to send reply
 CVE-2024-31082
 Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
 ---
 hw/xquartz/xpr/appledri.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
 index 77574655b..40422b61a 100644
 --- a/hw/xquartz/xpr/appledri.c
 +++ b/hw/xquartz/xpr/appledri.c
@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     xAppleDRICreatePixmapReply rep;
     int width, height, pitch, bpp;
     void *ptr;
 +    CARD32 stringLength;
     REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
         ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
 +    stringLength = rep.stringLength;  /* save unswapped value */
     if (client->swapped) {
         swaps(&rep.sequenceNumber);
         swapl(&rep.length);
@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
     }
     WriteToClient(client, sizeof(rep), &rep);
 -    WriteToClient(client, rep.stringLength, path);
 +    WriteToClient(client, stringLength, path);
     return Success;
 }
 -- 
 2.44.0
--- a/SOURCES/0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
+++ b/SOURCES/0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
@ -1,35 +0,0 @@
 From d5b66f2b1f3d9a322261d150e0da4e707a337334 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Wed, 18 Jun 2025 08:39:02 +0200
 Subject: [PATCH xserver 3/7] os: Check for integer overflow on BigRequest
 length
 Check for another possible integer overflow once we get a complete xReq
 with BigRequest.
 Related to CVE-2025-49176
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
 (cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
 ---
 os/io.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/os/io.c b/os/io.c
 index a05300869..de5b3c921 100644
 --- a/os/io.c
 +++ b/os/io.c
@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
                     needed = get_big_req_len(request, client);
             }
             client->req_len = needed;
 +            if (needed > MAXINT >> 2)
 +                return -(BadLength);
             needed <<= 2;
         }
         if (gotnow < needed) {
 -- 
 2.49.0
--- a/SOURCES/0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
+++ b/SOURCES/0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
@ -1,48 +0,0 @@
 From b4f63879f2a5cf0578101591f26471238f944e9c Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Mon, 28 Apr 2025 10:46:03 +0200
 Subject: [PATCH xserver 4/7] os: Account for bytes to ignore when sharing
 input buffer
 When reading requests from the clients, the input buffer might be shared
 and used between different clients.
 If a given client sends a full request with non-zero bytes to ignore,
 the bytes to ignore may still be non-zero even though the request is
 full, in which case the buffer could be shared with another client who's
 request will not be processed because of those bytes to ignore, leading
 to a possible hang of the other client request.
 To avoid the issue, make sure we have zero bytes to ignore left in the
 input request when sharing the input buffer with another client.
 CVE-2025-49178
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 (cherry picked from commit d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 os/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/os/io.c b/os/io.c
 index de5b3c921..b7f2750b5 100644
 --- a/os/io.c
 +++ b/os/io.c
@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
      */
     gotnow -= needed;
 -    if (!gotnow)
 +    if (!gotnow && !oci->ignoreBytes)
         AvailableInput = oc;
     if (move_header) {
         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
 -- 
 2.49.0
--- a/SOURCES/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
+++ b/SOURCES/0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
@ -1,112 +0,0 @@
 From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Tue, 30 Jan 2024 13:13:35 +1000
 Subject: [PATCH 4/4] render: fix refcounting of glyphs during
 ProcRenderAddGlyphs
 Previously, AllocateGlyph would return a new glyph with refcount=0 and a
 re-used glyph would end up not changing the refcount at all. The
 resulting glyph_new array would thus have multiple entries pointing to
 the same non-refcounted glyphs.
 AddGlyph may free a glyph, resulting in a UAF when the same glyph
 pointer is then later used.
 Fix this by returning a refcount of 1 for a new glyph and always
 incrementing the refcount for a re-used glyph, followed by dropping that
 refcount back down again when we're done with it.
 CVE-2024-31083, ZDI-CAN-22880
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
 ---
 render/glyph.c         |  5 +++--
 render/glyphstr_priv.h |  1 +
 render/render.c        | 15 +++++++++++----
 3 files changed, 15 insertions(+), 6 deletions(-)
 diff --git a/render/glyph.c b/render/glyph.c
 index 850ea8440..13991f8a1 100644
 --- a/render/glyph.c
 +++ b/render/glyph.c
@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
     }
 }
 -static void
 +void
 FreeGlyph(GlyphPtr glyph, int format)
 {
     CheckDuplicates(&globalGlyphs[format], "FreeGlyph");
 +    BUG_RETURN(glyph->refcnt == 0);
     if (--glyph->refcnt == 0) {
         GlyphRefPtr gr;
         int i;
@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
     glyph = (GlyphPtr) malloc(size);
     if (!glyph)
         return 0;
 -    glyph->refcnt = 0;
 +    glyph->refcnt = 1;
     glyph->size = size + sizeof(xGlyphInfo);
     glyph->info = *gi;
     dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
 diff --git a/render/glyphstr.h b/render/glyphstr.h
 index 2f51bd244..3b1d806d1 100644
 --- a/render/glyphstr.h
 +++ b/render/glyphstr.h
@@ -108,6 +108,7 @@ extern Bool
 extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id);
 extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format);
 +extern void FreeGlyph(GlyphPtr glyph, int format);
 extern Bool
  ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change);
 diff --git a/render/render.c b/render/render.c
 index 29c5055c6..fe5e37dd9 100644
 --- a/render/render.c
 +++ b/render/render.c
@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
         if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
             glyph_new->found = TRUE;
 +            ++glyph_new->glyph->refcnt;
         }
         else {
             GlyphPtr glyph;
@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
         err = BadAlloc;
         goto bail;
     }
 -    for (i = 0; i < nglyphs; i++)
 +    for (i = 0; i < nglyphs; i++) {
         AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
 +        FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
 +    }
     if (glyphsBase != glyphsLocal)
         free(glyphsBase);
@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
         FreePicture((void *) pSrc, 0);
     if (pSrcPix)
         FreeScratchPixmapHeader(pSrcPix);
 -    for (i = 0; i < nglyphs; i++)
 -        if (glyphs[i].glyph && !glyphs[i].found)
 -            free(glyphs[i].glyph);
 +    for (i = 0; i < nglyphs; i++) {
 +        if (glyphs[i].glyph) {
 +            --glyphs[i].glyph->refcnt;
 +            if (!glyphs[i].found)
 +                free(glyphs[i].glyph);
 +        }
 +    }
     if (glyphsBase != glyphsLocal)
         free(glyphsBase);
     return err;
 -- 
 2.44.0
--- a/SOURCES/0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
+++ b/SOURCES/0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
@ -1,64 +0,0 @@
 From d943eaa6b8584e7ceebd73ee59bd84e99b09be5d Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Mon, 28 Apr 2025 11:47:15 +0200
 Subject: [PATCH xserver 5/7] record: Check for overflow in
 RecordSanityCheckRegisterClients()
 The RecordSanityCheckRegisterClients() checks for the request length,
 but does not check for integer overflow.
 A client might send a very large value for either the number of clients
 or the number of protocol ranges that will cause an integer overflow in
 the request length computation, defeating the check for request length.
 To avoid the issue, explicitly check the number of clients against the
 limit of clients (which is much lower than an maximum integer value) and
 the number of protocol ranges (multiplied by the record length) do not
 exceed the maximum integer value.
 This way, we ensure that the final computation for the request length
 will not overflow the maximum integer limit.
 CVE-2025-49179
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 (cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 record/record.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/record/record.c b/record/record.c
 index a8aec23bd..afaceb55c 100644
 --- a/record/record.c
 +++ b/record/record.c
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
 #include "inputstr.h"
 #include "eventconvert.h"
 #include "scrnintstr.h"
 +#include "opaque.h"
 #include <stdio.h>
 #include <assert.h>
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
     int i;
     XID recordingClient;
 +    /* LimitClients is 2048 at max, way less that MAXINT */
 +    if (stuff->nClients > LimitClients)
 +        return BadValue;
 +
 +    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
 +        return BadValue;
 +
     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
         return BadLength;
 -- 
 2.49.0
--- a/SOURCES/0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
+++ b/SOURCES/0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
@ -1,43 +0,0 @@
 From 3d44c08d94e850769d7d16fce0596536370253b1 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Tue, 20 May 2025 15:18:19 +0200
 Subject: [PATCH xserver 6/7] randr: Check for overflow in
 RRChangeProviderProperty()
 A client might send a request causing an integer overflow when computing
 the total size to allocate in RRChangeProviderProperty().
 To avoid the issue, check that total length in bytes won't exceed the
 maximum integer value.
 CVE-2025-49180
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 (cherry picked from commit 3c3a4b767b16174d3213055947ea7f4f88e10ec6)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 randr/rrproviderproperty.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
 index b79c17f9b..7088570ee 100644
 --- a/randr/rrproviderproperty.c
 +++ b/randr/rrproviderproperty.c
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
     if (mode == PropModeReplace || len > 0) {
         void *new_data = NULL, *old_data = NULL;
 -
 +        if (total_len > MAXINT / size_in_bytes)
 +            return BadValue;
         total_size = total_len * size_in_bytes;
         new_value.data = (void *) malloc(total_size);
         if (!new_value.data && total_size) {
 -- 
 2.49.0
--- a/SOURCES/0007-xfree86-Check-for-RandR-provider-functions.patch
+++ b/SOURCES/0007-xfree86-Check-for-RandR-provider-functions.patch
@ -1,50 +0,0 @@
 From 8de5a9b2be31d14dcce3795f919b353d62e56897 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Mon, 28 Apr 2025 14:59:46 +0200
 Subject: [PATCH xserver 7/7] xfree86: Check for RandR provider functions
 Changing XRandR provider properties if the driver has set no provider
 function such as the modesetting driver will cause a NULL pointer
 dereference and a crash of the Xorg server.
 Related to CVE-2025-49180
 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
 reported by Julian Suleder via ERNW Vulnerability Disclosure.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 (cherry picked from commit 0235121c6a7a6eb247e2addb3b41ed6ef566853d)
 Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
 ---
 hw/xfree86/modes/xf86RandR12.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
 index f220ef192..ccb7f629c 100644
 --- a/hw/xfree86/modes/xf86RandR12.c
 +++ b/hw/xfree86/modes/xf86RandR12.c
@@ -2133,7 +2133,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
     /* If we don't have any property handler, then we don't care what the
      * user is setting properties to.
      */
 -    if (config->provider_funcs->set_property == NULL)
 +    if (config->provider_funcs == NULL ||
 +        config->provider_funcs->set_property == NULL)
         return TRUE;
     /*
@@ -2151,7 +2152,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
     ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
     xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
 -    if (config->provider_funcs->get_property == NULL)
 +    if (config->provider_funcs == NULL ||
 +        config->provider_funcs->get_property == NULL)
         return TRUE;
     /* Should be safe even w/o vtSema */
 -- 
 2.49.0
--- a/SPECS/xorg-x11-server.spec
+++ b/SPECS/xorg-x11-server.spec
@ -46,7 +46,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   26%{?gitdate:.%{gitdate}}%{?dist}
+Release:   22%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -175,33 +175,6 @@ Patch10040: 0009-ephyr-xwayland-Use-the-proper-private-key-for-cursor.patch
 Patch10041: 0001-hw-Rename-boolean-config-value-field-from-bool-to-bo.patch
 # Related to CVE-2024-21886
 Patch10042: 0001-dix-Fix-use-after-free-in-input-device-shutdown.patch
 # Fix compilation error on i686
 Patch10043: 0001-ephyr-Fix-incompatible-pointer-type-build-error.patch
 # Fix copy and paste error in CVE-2024-0229
 Patch10044: 0001-dix-fix-valuator-copy-paste-error-in-the-DeviceState.patch
 # CVE-2024-31080
 Patch10045: 0001-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch
 # CVE-2024-31081
 Patch10046: 0002-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch
 # CVE-2024-31082
 Patch10047: 0003-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch
 # CVE-2024-31083
 Patch10048: 0004-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch
 Patch10049: 0001-render-Avoid-possible-double-free-in-ProcRenderAddGl.patch
 # CVE-2024-9632
 Patch10050: 0001-xkb-Fix-buffer-overflow-in-_XkbSetCompatMap.patch
 # CVE-2025-49175: Out-of-bounds access in X Rendering extension
 Patch10051: 0001-render-Avoid-0-or-less-animated-cursors.patch
 # CVE-2025-49176: Integer overflow in Big Requests Extension
 Patch10052: 0002-os-Do-not-overflow-the-integer-size-with-BigRequest.patch
 Patch10053: 0003-os-Check-for-integer-overflow-on-BigRequest-length.patch
 # CVE-2025-49178: Unprocessed client request via bytes to ignore
 Patch10054: 0004-os-Account-for-bytes-to-ignore-when-sharing-input-bu.patch
 # CVE-2025-49179: Integer overflow in X Record extension
 Patch10055: 0005-record-Check-for-overflow-in-RecordSanityCheckRegist.patch
 # CVE-2025-49180: Integer overflow in RandR extension
 Patch10056: 0006-randr-Check-for-overflow-in-RRChangeProviderProperty.patch
 Patch10057: 0007-xfree86-Check-for-RandR-provider-functions.patch
 BuildRequires: make
 BuildRequires: systemtap-sdt-devel
@ -344,7 +317,6 @@ License: MIT and GPLv2
 Requires: xorg-x11-server-common >= %{version}-%{release}
 # required for xvfb-run
 Requires: xorg-x11-xauth
 Requires: util-linux
 Provides: Xvfb
 %description Xvfb
@ -630,24 +602,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %changelog
-* Wed Jun 18 2025 Olivier Fourdan <ofourdan@redhat.com> - 1.20.11-26
+* Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.4-24
 - CVE fix for: CVE-2025-49175 (RHEL-97273), CVE-2025-49176 (RHEL-97329),
               CVE-2025-49178 (RHEL-97369), CVE-2025-49179 (RHEL-97422),
               CVE-2025-49180 (RHEL-97235)
 * Tue Oct 29 2024 José Expósito <jexposit@redhat.com> - 1.20.11-25
 - CVE fix for CVE-2024-9632
 * Wed Apr 10 2024 José Expósito <jexposit@redhat.com> - 1.20.11-24
 - Fix regression caused by the fix for CVE-2024-31083
 * Thu Apr 04 2024 José Expósito <jexposit@redhat.com> - 1.20.11-23
 - CVE fix for: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082 and
  CVE-2024-31083
 - Add util-linux as a dependency of Xvfb
 - Fix compilation error on i686
 * Thu Jan 18 2024 José Expósito <jexposit@redhat.com> - 1.20.11-22
 - Fix use after free related to CVE-2024-21886
 * Tue Jan 16 2024 José Expósito <jexposit@redhat.com> - 1.20.11-21