Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected], Emilio Pozuelo Monfort <[email protected]>, Timo Aaltonen <[email protected]>, Julien Cristau <[email protected]>, [email protected], [email protected], [email protected] Control: affects -1 + src:xorg-server User: [email protected] Usertags: unblock Control: tags -1 + d-i
Please unblock package xorg-server The update for xorg-server covering several CVE fixes required one other followup as there was one integer overflow related to CVE-2025-49176 found later to be unfixed, cf. #1108073. Adding as well [email protected] since a udeb is produced [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock xorg-server/2:21.1.16-1.3 The debdiff is only on top of the previous upload which was already unboocked but superseeded before migration to testing of this one. Regards, Salvatore
diff -u xorg-server-21.1.16/debian/changelog xorg-server-21.1.16/debian/changelog --- xorg-server-21.1.16/debian/changelog +++ xorg-server-21.1.16/debian/changelog @@ -1,3 +1,11 @@ +xorg-server (2:21.1.16-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * os: Check for integer overflow on BigRequest length (CVE-2025-49176) + (Closes: #1108073) + + -- Salvatore Bonaccorso <[email protected]> Fri, 20 Jun 2025 09:47:20 +0200 + xorg-server (2:21.1.16-1.2) unstable; urgency=medium * Non-maintainer upload. diff -u xorg-server-21.1.16/debian/patches/series xorg-server-21.1.16/debian/patches/series --- xorg-server-21.1.16/debian/patches/series +++ xorg-server-21.1.16/debian/patches/series @@ -11,3 +11,4 @@ 14_record-Check-for-overflow-in-RecordSanityCheckRegist.diff 15_randr-Check-for-overflow-in-RRChangeProviderProperty.diff 16_xfree86-Check-for-RandR-provider-functions.diff +17_os-Check-for-integer-overflow-on-BigRequest-length.diff only in patch2: unchanged: --- xorg-server-21.1.16.orig/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff +++ xorg-server-21.1.16/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff @@ -0,0 +1,35 @@ +From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <[email protected]> +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan <[email protected]> +Suggested-by: Peter Harris <[email protected]> +(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1) + +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2029> +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index 26f9161ef826..83986af9288e 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +2.50.0 +
