File U_CVE-2025-49177-xfixes-Check-request-length-for-SetClientDisconnectM.patch of Package xwayland.39024
From eb1c0386535c5a6451cbf21ca351087ebfafb025 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 10:05:36 +0200
Subject: [PATCH xserver] xfixes: Check request length for
SetClientDisconnectMode
The handler of XFixesSetClientDisconnectMode does not check the client
request length.
A client could send a shorter request and read data from a former
request.
Fix the issue by checking the request size matches.
CVE-2025-49177
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
xfixes/disconnect.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: xwayland-24.1.6/xfixes/disconnect.c
===================================================================
--- xwayland-24.1.6.orig/xfixes/disconnect.c
+++ xwayland-24.1.6/xfixes/disconnect.c
@@ -69,6 +69,7 @@ ProcXFixesSetClientDisconnectMode(Client
ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
REQUEST(xXFixesSetClientDisconnectModeReq);
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
pDisconnect->disconnect_mode = stuff->disconnect_mode;
@@ -82,7 +83,7 @@ SProcXFixesSetClientDisconnectMode(Clien
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
+ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
swapl(&stuff->disconnect_mode);