diff --git a/102-bugfix-for-CVE-2025-49176.patch b/102-bugfix-for-CVE-2025-49176.patch deleted file mode 100644 index 8c6251df8c01c599c2774193084267dd27b5dc37..0000000000000000000000000000000000000000 --- a/102-bugfix-for-CVE-2025-49176.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 7 Apr 2025 16:13:34 +0200 -Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The BigRequest extension allows request larger than the 16-bit length -limit. - -It uses integers for the request length and checks for the size not to -exceed the maxBigRequestSize limit, but does so after translating the -length to integer by multiplying the given size in bytes by 4. - -In doing so, it might overflow the integer size limit before actually -checking for the overflow, defeating the purpose of the test. - -To avoid the issue, make sure to check that the request size does not -overflow the maxBigRequestSize limit prior to any conversion. - -The caller Dispatch() function however expects the return value to be in -bytes, so we cannot just return the converted value in case of error, as -that would also overflow the integer size. - -To preserve the existing API, we use a negative value for the X11 error -code BadLength as the function only return positive values, 0 or -1 and -update the caller Dispatch() function to take that case into account to -return the error code to the offending client. - -CVE-2025-49176 - -This issue was discovered by Nils Emmerich and -reported by Julian Suleder via ERNW Vulnerability Disclosure. - -Signed-off-by: Olivier Fourdan -Reviewed-by: Michel Dänzer -(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa) ---- - dix/dispatch.c | 9 +++++---- - os/io.c | 4 ++++ - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/dix/dispatch.c b/dix/dispatch.c -index 6f4e349e0..15e63e22a 100644 ---- a/dix/dispatch.c -+++ b/dix/dispatch.c -@@ -518,9 +518,10 @@ Dispatch(void) - - /* now, finally, deal with client requests */ - result = ReadRequestFromClient(client); -- if (result <= 0) { -- if (result < 0) -- CloseDownClient(client); -+ if (result == 0) -+ break; -+ else if (result == -1) { -+ CloseDownClient(client); - break; - } - -@@ -541,7 +542,7 @@ Dispatch(void) - client->index, - client->requestBuffer); - #endif -- if (result > (maxBigRequestSize << 2)) -+ if (result < 0 || result > (maxBigRequestSize << 2)) - result = BadLength; - else { - result = XaceHookDispatch(client, client->majorOp); -diff --git a/os/io.c b/os/io.c -index 5b7fac349..5fc05821c 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) - needed = get_big_req_len(request, client); - } - client->req_len = needed; -+ if (needed > MAXINT >> 2) { -+ /* Check for potential integer overflow */ -+ return -(BadLength); -+ } - needed <<= 2; /* needed is in bytes now */ - } - if (gotnow < needed) { --- -2.49.0 - diff --git a/103-bugfix-for-CVE-2025-49176.patch b/103-bugfix-for-CVE-2025-49176.patch deleted file mode 100644 index 7bd7f65204cb0d7209054addd92727c552be46c2..0000000000000000000000000000000000000000 --- a/103-bugfix-for-CVE-2025-49176.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 18 Jun 2025 08:39:02 +0200 -Subject: [PATCH] os: Check for integer overflow on BigRequest length - -Check for another possible integer overflow once we get a complete xReq -with BigRequest. - -Related to CVE-2025-49176 - -Signed-off-by: Olivier Fourdan -Suggested-by: Peter Harris ---- - os/io.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/os/io.c b/os/io.c -index e7b76b9cea..167b40a720 100644 ---- a/os/io.c -+++ b/os/io.c -@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client) - needed = get_big_req_len(request, client); - } - client->req_len = needed; -+ if (needed > MAXINT >> 2) -+ return -(BadLength); - needed <<= 2; - } - if (gotnow < needed) { --- -GitLab - diff --git a/tigervnc.spec b/tigervnc.spec index 230302e25b091e890a740b0b2bb378d70540d184..e9200961b0ccc16b46ad6e40de3e5b990fa9a7f4 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 #defining macros needed by SELinux %global selinuxtype targeted %global modulename vncsession @@ -30,8 +30,6 @@ Patch50: tigervnc-vncsession-restore-script-systemd-service.patch # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch Patch101: 101-bugfix-for-CVE-2024-21885.patch -Patch102: 102-bugfix-for-CVE-2025-49176.patch -Patch103: 103-bugfix-for-CVE-2025-49176.patch BuildRequires: make BuildRequires: gcc-c++ @@ -164,8 +162,6 @@ for all in `find . -type f -perm -001`; do done %patch100 -p1 -b .xserver120-rebased %patch101 -p1 -b .101-bugfix-for-CVE-2024-21885 -%patch102 -p1 -b .102-bugfix-for-CVE-2025-49176 -%patch103 -p1 -b .103-bugfix-for-CVE-2025-49176 popd # Downstream patches @@ -337,6 +333,11 @@ fi %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Mon Aug 11 2025 mgb01105731 - 1.13.1-5 +- Rebuild with xorg-x11-server to fix CVE-2025-49175,CVE-2025-49176, + CVE-2025-49178,CVE-2025-49179,CVE-2025-49180 +- Delete patch as xorg-x11-server has fix CVE-2025-49175,CVE-2025-49176 + * Wed Jul 23 2025 tomcruiseqi - 1.13.1-4 - Fix CVE-2025-49176