X.Org Security Advisory: multiple security issues X.Org X server and Xwayland

Olivier Fourdan ofourdan at redhat.com
Tue Jun 17 13:43:15 UTC 2025 

======================================================================
X.Org Security Advisory: June 17, 2025

Issues in X.Org X server prior to 21.1.17 and Xwayland prior to 24.1.7
======================================================================

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.17 and xwayland-24.1.7.

1) CVE-2025-49175: Out-of-bounds access in X Rendering extension
(Animated cursors)

The X Rendering extension allows creating animated cursors providing a
list of cursors.

By default, the Xserver assumes at least one cursor is provided while a
client may actually pass no cursor at all, which causes an out-of-bound
read creating the animated cursor and a crash of the Xserver.

Introduced in: X11R6.7 (originally from XFree86 4.3.0)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b2
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

2) CVE-2025-49176: Integer overflow in Big Requests Extension

The Big Requests extension allows requests larger than the 16-bit length
limit.

It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.

In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.

Introduced in: X11R6.0
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b32
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

3) CVE-2025-49177: Data leak in XFIXES Extension 6
(XFixesSetClientDisconnectMode)

The handler of XFixesSetClientDisconnectMode does not check the client
request length.

A client could send a shorter request and read data from a former
request.

Introduced in: Xwayland-22.0.99.1 (22.1 RC1)
                Xorg server 21.0.99.1 (21.1 RC1)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

4) CVE-2025-49178: Unprocessed client request via bytes to ignore

When reading requests from the clients, the input buffer might be shared
and used between different clients.

If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.

Introduced in: Xorg 1.10.0
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54ce
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

5) CVE-2025-49179: Integer overflow in X Record extension

The RecordSanityCheckRegisterClients() function in the X Record extension
implementation of the Xserver checks for the request length, but does not
check for integer overflow.

A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.

Introduced in: X11R6.1
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca4
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

6) CVE-2025-49180: Integer overflow in RandR extension
(RRChangeProviderProperty)

A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().

Introduced in: Xorg server version 1.12.99.901 (1.13 RC1)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b76
      https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.

More information about the xorg-announce mailing list