X.Org Security Advisory: multiple security issues X.Org X server and Xwayland
Olivier Fourdan
ofourdan at redhat.com
Wed Jun 18 15:53:27 UTC 2025
Addendum to yesterday's X.Org Security Advisory for CVE-2025-49176:
On 17/06/2025 15:43, Olivier Fourdan wrote:
> [...]
> ======================================================================
>
> 2) CVE-2025-49176: Integer overflow in Big Requests Extension
>
> The Big Requests extension allows requests larger than the 16-bit length
> limit.
>
> It uses integers for the request length and checks for the size not to
> exceed the maxBigRequestSize limit, but does so after translating the
> length to integer by multiplying the given size in bytes by 4.
>
> In doing so, it might overflow the integer size limit before actually
> checking for the overflow, defeating the purpose of the test.
>
> Introduced in: X11R6.0
> Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
> Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b32
> Found by: This issue was discovered by Nils Emmerich and reported by
> Julian Suleder via ERNW Vulnerability Disclosure.
There is another case where the BigRequest length can cause an overflow,
so that requires an additional fix:
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b
Thanks to Peter Harris for pointing this out.
A fix will be issued in xorg-server-21.1.18 and xwayland-24.1.8 shortly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x14706DBE1E4B4540.asc
Type: application/pgp-keys
Size: 2988 bytes
Desc: OpenPGP public key
URL: <https://lists.x.org/archives/xorg/attachments/20250618/9c7c5ec9/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <https://lists.x.org/archives/xorg/attachments/20250618/9c7c5ec9/attachment.sig>
More information about the xorg
mailing list