xserver-xorg: Fix for CVE-2025-49178

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 (From OE-Core rev: 8d29231af51de235b99be0eeb71dfab41d67589d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-08-20 16:22:30 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-08-29 08:33:32 -0700
commit: 17e3bd9df8a251da0173205511e876fc8160dbc8 (patch)
tree: a38cf8562297f33ba56db57e40ecfff855d9e624
parent: d6f3ce165174cd09f4af6c055d4974a15d9630ae (diff)
download: poky-17e3bd9df8a251da0173205511e876fc8160dbc8.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
new file mode 100644
index 0000000000..ce3e2f415f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
@@ -0,0 +1,49 @@
+From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:46:03 +0200
+Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
+When reading requests from the clients, the input buffer might be shared
+and used between different clients.
+If a given client sends a full request with non-zero bytes to ignore,
+the bytes to ignore may still be non-zero even though the request is
+full, in which case the buffer could be shared with another client who's
+request will not be processed because of those bytes to ignore, leading
+to a possible hang of the other client request.
+To avoid the issue, make sure we have zero bytes to ignore left in the
+input request when sharing the input buffer with another client.
+CVE-2025-49178
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
+CVE: CVE-2025-49178
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/os/io.c b/os/io.c
+index 3e39c10e6f..e7b76b9cea 100644
+--- a/os/io.c
+++ b/os/io.c
+@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client)
+      */
+ 
+     gotnow -= needed;
+-    if (!gotnow)
+    if (!gotnow && !oci->ignoreBytes)
+         AvailableInput = oc;
+     if (move_header) {
+         if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 1fceec89f7..67e146bf97 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2025-49176-1.patch \
           file://CVE-2025-49176-2.patch \
           file://CVE-2025-49177.patch \
+           file://CVE-2025-49178.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-08-20 16:22:30 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-08-29 08:33:32 -0700
commit	17e3bd9df8a251da0173205511e876fc8160dbc8 (patch)
tree	a38cf8562297f33ba56db57e40ecfff855d9e624
parent	d6f3ce165174cd09f4af6c055d4974a15d9630ae (diff)
download	poky-17e3bd9df8a251da0173205511e876fc8160dbc8.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch new file mode 100644 index 0000000000..ce3e2f415f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
@@ -0,0 +1,49 @@
		1	From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 28 Apr 2025 10:46:03 +0200
		4	Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
		5
		6	When reading requests from the clients, the input buffer might be shared
		7	and used between different clients.
		8
		9	If a given client sends a full request with non-zero bytes to ignore,
		10	the bytes to ignore may still be non-zero even though the request is
		11	full, in which case the buffer could be shared with another client who's
		12	request will not be processed because of those bytes to ignore, leading
		13	to a possible hang of the other client request.
		14
		15	To avoid the issue, make sure we have zero bytes to ignore left in the
		16	input request when sharing the input buffer with another client.
		17
		18	CVE-2025-49178
		19
		20	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		21	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		22
		23	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		24	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		25	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		26
		27	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
		28	CVE: CVE-2025-49178
		29	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		30	---
		31	os/io.c \| 2 +-
		32	1 file changed, 1 insertion(+), 1 deletion(-)
		33
		34	diff --git a/os/io.c b/os/io.c
		35	index 3e39c10e6f..e7b76b9cea 100644
		36	--- a/os/io.c
		37	+++ b/os/io.c
		38	@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client)
		39	*/
		40
		41	gotnow -= needed;
		42	- if (!gotnow)
		43	+ if (!gotnow && !oci->ignoreBytes)
		44	AvailableInput = oc;
		45	if (move_header) {
		46	if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
		47	--
		48	GitLab
		49


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 1fceec89f7..67e146bf97 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -40,6 +40,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
40	file://CVE-2025-49176-1.patch \	40	file://CVE-2025-49176-1.patch \
41	file://CVE-2025-49176-2.patch \	41	file://CVE-2025-49176-2.patch \
42	file://CVE-2025-49177.patch \	42	file://CVE-2025-49177.patch \
		43	file://CVE-2025-49178.patch \
43	"	44	"
44	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	45	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
45		46