3 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
new file mode 100644
index 0000000000..9e4e016477
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
@@ -0,0 +1,44 @@
+From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 20 May 2025 15:18:19 +0200
+Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
+A client might send a request causing an integer overflow when computing
+the total size to allocate in RRChangeProviderProperty().
+To avoid the issue, check that total length in bytes won't exceed the
+maximum integer value.
+CVE-2025-49180
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
+CVE: CVE-2025-49180
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ randr/rrproviderproperty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index 69f66ed278..0c3dcd1bc5 100644
+--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
+@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
+ 
+     if (mode == PropModeReplace || len > 0) {
+         void *new_data = NULL, *old_data = NULL;
+-
+        if (total_len > MAXINT / size_in_bytes)
+            return BadValue;
+         total_size = total_len * size_in_bytes;
+         new_value.data = (void *) malloc(total_size);
+         if (!new_value.data && total_size) {
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
new file mode 100644
index 0000000000..94fda308a9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
@@ -0,0 +1,52 @@
+From 0235121c6a7a6eb247e2addb3b41ed6ef566853d Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 14:59:46 +0200
+Subject: [PATCH] xfree86: Check for RandR provider functions
+Changing XRandR provider properties if the driver has set no provider
+function such as the modesetting driver will cause a NULL pointer
+dereference and a crash of the Xorg server.
+Related to CVE-2025-49180
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d]
+CVE: CVE-2025-49180
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/xfree86/modes/xf86RandR12.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
+index ddcf5e748a..bf33da377a 100644
+--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
+@@ -2146,7 +2146,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
+     /* If we don't have any property handler, then we don't care what the
+      * user is setting properties to.
+      */
+-    if (config->provider_funcs->set_property == NULL)
+    if (config->provider_funcs == NULL ||
+        config->provider_funcs->set_property == NULL)
+         return TRUE;
+ 
+     /*
+@@ -2164,7 +2165,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
+     ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
+     xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
+ 
+-    if (config->provider_funcs->get_property == NULL)
+    if (config->provider_funcs == NULL ||
+        config->provider_funcs->get_property == NULL)
+         return TRUE;
+ 
+     /* Should be safe even w/o vtSema */
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 279351eff1..a15669a260 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -42,6 +42,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2025-49177.patch \
           file://CVE-2025-49178.patch \
           file://CVE-2025-49179.patch \
+           file://CVE-2025-49180-1.patch \
+           file://CVE-2025-49180-2.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch new file mode 100644 index 0000000000..9e4e016477 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
@@ -0,0 +1,44 @@
		1	From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Tue, 20 May 2025 15:18:19 +0200
		4	Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
		5
		6	A client might send a request causing an integer overflow when computing
		7	the total size to allocate in RRChangeProviderProperty().
		8
		9	To avoid the issue, check that total length in bytes won't exceed the
		10	maximum integer value.
		11
		12	CVE-2025-49180
		13
		14	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		15	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		16
		17	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		18	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		19	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		20
		21	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
		22	CVE: CVE-2025-49180
		23	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		24	---
		25	randr/rrproviderproperty.c \| 3 ++-
		26	1 file changed, 2 insertions(+), 1 deletion(-)
		27
		28	diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
		29	index 69f66ed278..0c3dcd1bc5 100644
		30	--- a/randr/rrproviderproperty.c
		31	+++ b/randr/rrproviderproperty.c
		32	@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
		33
		34	if (mode == PropModeReplace \|\| len > 0) {
		35	void new_data = NULL, old_data = NULL;
		36	-
		37	+ if (total_len > MAXINT / size_in_bytes)
		38	+ return BadValue;
		39	total_size = total_len * size_in_bytes;
		40	new_value.data = (void *) malloc(total_size);
		41	if (!new_value.data && total_size) {
		42	--
		43	GitLab
		44


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch new file mode 100644 index 0000000000..94fda308a9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
@@ -0,0 +1,52 @@
		1	From 0235121c6a7a6eb247e2addb3b41ed6ef566853d Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Mon, 28 Apr 2025 14:59:46 +0200
		4	Subject: [PATCH] xfree86: Check for RandR provider functions
		5
		6	Changing XRandR provider properties if the driver has set no provider
		7	function such as the modesetting driver will cause a NULL pointer
		8	dereference and a crash of the Xorg server.
		9
		10	Related to CVE-2025-49180
		11
		12	This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
		13	reported by Julian Suleder via ERNW Vulnerability Disclosure.
		14
		15	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		16	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		17	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
		18
		19	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c6a7a6eb247e2addb3b41ed6ef566853d]
		20	CVE: CVE-2025-49180
		21	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		22	---
		23	hw/xfree86/modes/xf86RandR12.c \| 6 ++++--
		24	1 file changed, 4 insertions(+), 2 deletions(-)
		25
		26	diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
		27	index ddcf5e748a..bf33da377a 100644
		28	--- a/hw/xfree86/modes/xf86RandR12.c
		29	+++ b/hw/xfree86/modes/xf86RandR12.c
		30	@@ -2146,7 +2146,8 @@ xf86RandR14ProviderSetProperty(ScreenPtr pScreen,
		31	/* If we don't have any property handler, then we don't care what the
		32	* user is setting properties to.
		33	*/
		34	- if (config->provider_funcs->set_property == NULL)
		35	+ if (config->provider_funcs == NULL \|\|
		36	+ config->provider_funcs->set_property == NULL)
		37	return TRUE;
		38
		39	/*
		40	@@ -2164,7 +2165,8 @@ xf86RandR14ProviderGetProperty(ScreenPtr pScreen,
		41	ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
		42	xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
		43
		44	- if (config->provider_funcs->get_property == NULL)
		45	+ if (config->provider_funcs == NULL \|\|
		46	+ config->provider_funcs->get_property == NULL)
		47	return TRUE;
		48
		49	/* Should be safe even w/o vtSema */
		50	--
		51	GitLab
		52


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 279351eff1..a15669a260 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -42,6 +42,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
42	file://CVE-2025-49177.patch \	42	file://CVE-2025-49177.patch \
43	file://CVE-2025-49178.patch \	43	file://CVE-2025-49178.patch \
44	file://CVE-2025-49179.patch \	44	file://CVE-2025-49179.patch \
		45	file://CVE-2025-49180-1.patch \
		46	file://CVE-2025-49180-2.patch \
45	"	47	"
46	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	48	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
47		49