diff --git a/1001-fix-CVE-2025-49175-and-CVE-2025-49176.patch b/1001-fix-CVE-2025-49175-and-CVE-2025-49176.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae251ea8ca7c74face921a66cf7de5ddfe958a72 --- /dev/null +++ b/1001-fix-CVE-2025-49175-and-CVE-2025-49176.patch @@ -0,0 +1,40 @@ +From 2794ea48a3a36a0bcf37d5a3b62b182b870c9a2b Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 21:38:13 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49175 and CVE-2025-49176 + +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..77942d8 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.41.0 + diff --git a/1002-fix-CVE-2025-49177.patch b/1002-fix-CVE-2025-49177.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca2694f652d0202c65105ab3830ed9b29d83172a --- /dev/null +++ b/1002-fix-CVE-2025-49177.patch @@ -0,0 +1,33 @@ +From a13685aab3559a504abb1074f9f81c782a30a30d Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 21:40:14 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49177 + +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 28aac45..d6da1f9 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.41.0 + diff --git a/1003-fix-CVE-2025-49178.patch b/1003-fix-CVE-2025-49178.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b6bbcd4571ee83d72019e18027beedbb8e2e0cd --- /dev/null +++ b/1003-fix-CVE-2025-49178.patch @@ -0,0 +1,25 @@ +From f07e267ede2f524e3600dd1cb134b54b955c851c Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 21:41:10 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49178 + +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 841a0ee..a376bc7 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -438,7 +438,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.41.0 + diff --git a/1004-fix-CVE-2025-49179.patch b/1004-fix-CVE-2025-49179.patch new file mode 100644 index 0000000000000000000000000000000000000000..7fb08dcc4a16e4ae3ce73f6b1f5cb61750ec9710 --- /dev/null +++ b/1004-fix-CVE-2025-49179.patch @@ -0,0 +1,38 @@ +From ab064a9c71b252d80b0780d0d4958c50b656bdb7 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 21:43:53 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49179 + +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..ce6d167 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "../include/opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.41.0 + diff --git a/1005-fix-CVE-2025-49180.patch b/1005-fix-CVE-2025-49180.patch new file mode 100644 index 0000000000000000000000000000000000000000..647a2d5edcdd7493db574a2692b514f18627ac64 --- /dev/null +++ b/1005-fix-CVE-2025-49180.patch @@ -0,0 +1,26 @@ +From b85fc9fdeb0146ce553f72e2e588ee90302c0346 Mon Sep 17 00:00:00 2001 +From: mgb01105731 +Date: Mon, 23 Jun 2025 21:48:14 -0400 +Subject: [PATCH 1/1] fix CVE-2025-49180 + +--- + randr/rrproviderproperty.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..44cb5c7 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -180,6 +180,9 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; + ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; ++ + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.41.0 + diff --git a/xorg-x11-server-Xwayland.spec b/xorg-x11-server-Xwayland.spec index c9575d2beebe3d0d66dc268e7230237875ff7bfa..285351c7054014cf1920a14f1057ab0a2390ed0f 100644 --- a/xorg-x11-server-Xwayland.spec +++ b/xorg-x11-server-Xwayland.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %global pkgname xwayland %global default_font_path "catalogue:/etc/X11/fontpath.d,built-ins" @@ -13,6 +13,17 @@ Source0: https://www.x.org/releases/individual/xserver/%{pkgname}-%{version}.t Patch0: xorg-x11-server-Xwayland-fix-CVE-2024-31083.patch Patch1: xorg-x11-server-Xwayland-fix-CVE.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F0885e0b26225c90534642fe911632ec0779eebee +Patch2: 1001-fix-CVE-2025-49175-and-CVE-2025-49176.patch +# https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af +Patch3: 1002-fix-CVE-2025-49177.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2Fd55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 +Patch4: 1003-fix-CVE-2025-49178.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4 +Patch5: 1004-fix-CVE-2025-49179.patch +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F3c3a4b767b16174d3213055947ea7f4f88e10ec6 +# https://gitee.com/link?target=https%3A%2F%2Fgitlab.freedesktop.org%2Fxorg%2Fxserver%2F-%2Fcommit%2F0235121c6a7a6eb247e2addb3b41ed6ef566853d +Patch6: 1005-fix-CVE-2025-49180.patch License: MIT @@ -142,6 +153,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %doc README.md %changelog +* Thu Aug 07 2025 mgb01105731 - 23.2.5-4 +- Add patches to fix CVE-2025-49175,CVE-2025-49176,CVE-2025-49177, + CVE-2025-49178,CVE-2025-49179,CVE-2025-49180 + * Thu Jun 12 2025 wenyuzifang - 23.2.5-3 - fix CVE-2024-9632 - fix CVE-2025-26601