Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN369

_____________________________________________________________________

DATE                : 18/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running X.Org X server versions prior
                                      to 21.1.17,
                    Xwayland versions prior to 24.1.7.

=====================================================================
https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0006
_____________________________________________________________________

======================================================================
X.Org Security Advisory: June 17, 2025

Issues in X.Org X server prior to 21.1.17 and Xwayland prior to 24.1.7
======================================================================

Multiple issues have been found in the X server and Xwayland
implementations published by X.Org for which we are releasing security
fixes for in xorg-server-21.1.17 and xwayland-24.1.7.

1) CVE-2025-49175: Out-of-bounds access in X Rendering extension
(Animated cursors)

The X Rendering extension allows creating animated cursors providing a
list of cursors.

By default, the Xserver assumes at least one cursor is provided while
a client may actually pass no cursor at all, which causes an
out-of-bound read creating the animated cursor and a crash of the
Xserver.

Introduced in: X11R6.7 (originally from XFree86 4.3.0)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b2
Found by: This issue was discovered by Nils Emmerich and reported
by
           Julian Suleder via ERNW Vulnerability Disclosure.

2) CVE-2025-49176: Integer overflow in Big Requests Extension

The Big Requests extension allows requests larger than the 16-bit
length limit.

It uses integers for the request length and checks for the size not
to exceed the maxBigRequestSize limit, but does so after translating
the length to integer by multiplying the given size in bytes by 4.

In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.

Introduced in: X11R6.0
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b32
Found by: This issue was discovered by Nils Emmerich and reported
by
           Julian Suleder via ERNW Vulnerability Disclosure.

3) CVE-2025-49177: Data leak in XFIXES Extension 6
(XFixesSetClientDisconnectMode)

The handler of XFixesSetClientDisconnectMode does not check the
client request length.

A client could send a shorter request and read data from a former
request.

Introduced in: Xwayland-22.0.99.1 (22.1 RC1)
                Xorg server 21.0.99.1 (21.1 RC1)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

4) CVE-2025-49178: Unprocessed client request via bytes to ignore

When reading requests from the clients, the input buffer might be
shared and used between different clients.

If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client
who's request will not be processed because of those bytes to ignore,
leading to a possible hang of the other client request.

Introduced in: Xorg 1.10.0
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54ce
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

5) CVE-2025-49179: Integer overflow in X Record extension

The RecordSanityCheckRegisterClients() function in the X Record
extension implementation of the Xserver checks for the request length,
but does not check for integer overflow.

A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.

Introduced in: X11R6.1
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca4
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

6) CVE-2025-49180: Integer overflow in RandR extension
(RRChangeProviderProperty)

A client might send a request causing an integer overflow when
computing the total size to allocate in RRChangeProviderProperty().

Introduced in: Xorg server version 1.12.99.901 (1.13 RC1)
Fixed in: xorg-server-21.1.17 and xwayland-24.1.7
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b76
      https://gitlab.freedesktop.org/xorg/xserver/-/commit/0235121c
Found by: This issue was discovered by Nils Emmerich and reported by
           Julian Suleder via ERNW Vulnerability Disclosure.

------------------------------------------------------------------------

X.Org thanks all of those who reported and fixed these issues, and
those who helped with the review and release of this advisory and
these fixes.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================