Your message dated Sun, 22 Jun 2025 12:31:20 +0000
with message-id <e1utjqy-00ahpg...@respighi.debian.org>
and subject line unblock xorg-server
has caused the Debian Bug report #1108172,
regarding unblock: xorg-server/2:21.1.16-1.3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: xorg-ser...@packages.debian.org, Emilio Pozuelo Monfort
<po...@debian.org>, Timo Aaltonen <tjaal...@ubuntu.com>, Julien Cristau
<jcris...@debian.org>, car...@debian.org, debian-b...@lists.debian.org,
k...@debian.org
Control: affects -1 + src:xorg-server
User: release.debian....@packages.debian.org
Usertags: unblock
Control: tags -1 + d-i
Please unblock package xorg-server
The update for xorg-server covering several CVE fixes required one
other followup as there was one integer overflow related to
CVE-2025-49176 found later to be unfixed, cf. #1108073.
Adding as well debian-boot@l.d.o since a udeb is produced
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock xorg-server/2:21.1.16-1.3
The debdiff is only on top of the previous upload which was already
unboocked but superseeded before migration to testing of this one.
Regards,
Salvatore
diff -u xorg-server-21.1.16/debian/changelog
xorg-server-21.1.16/debian/changelog
--- xorg-server-21.1.16/debian/changelog
+++ xorg-server-21.1.16/debian/changelog
@@ -1,3 +1,11 @@
+xorg-server (2:21.1.16-1.3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * os: Check for integer overflow on BigRequest length (CVE-2025-49176)
+ (Closes: #1108073)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 20 Jun 2025 09:47:20 +0200
+
xorg-server (2:21.1.16-1.2) unstable; urgency=medium
* Non-maintainer upload.
diff -u xorg-server-21.1.16/debian/patches/series
xorg-server-21.1.16/debian/patches/series
--- xorg-server-21.1.16/debian/patches/series
+++ xorg-server-21.1.16/debian/patches/series
@@ -11,3 +11,4 @@
14_record-Check-for-overflow-in-RecordSanityCheckRegist.diff
15_randr-Check-for-overflow-in-RRChangeProviderProperty.diff
16_xfree86-Check-for-RandR-provider-functions.diff
+17_os-Check-for-integer-overflow-on-BigRequest-length.diff
only in patch2:
unchanged:
---
xorg-server-21.1.16.orig/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
+++
xorg-server-21.1.16/debian/patches/17_os-Check-for-integer-overflow-on-BigRequest-length.diff
@@ -0,0 +1,35 @@
+From a659519ffa3eae4c94218b03e704a2b6d26adf6f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofour...@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofour...@redhat.com>
+Suggested-by: Peter Harris <pharr...@rocketsoftware.com>
+(cherry picked from commit 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2029>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index 26f9161ef826..83986af9288e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2)
++ return -(BadLength);
+ needed <<= 2;
+ }
+ if (gotnow < needed) {
+--
+2.50.0
+
--- End Message ---
--- Begin Message ---
Unblocked xorg-server.
--- End Message ---
