Addendum to yesterday's X.Org Security Advisory for CVE-2025-49176: On 17/06/2025 15:43, Olivier Fourdan wrote: > [...] > ====================================================================== > > 2) CVE-2025-49176: Integer overflow in Big Requests Extension > > The Big Requests extension allows requests larger than the 16-bit length > limit. > > It uses integers for the request length and checks for the size not to > exceed the maxBigRequestSize limit, but does so after translating the > length to integer by multiplying the given size in bytes by 4. > > In doing so, it might overflow the integer size limit before actually > checking for the overflow, defeating the purpose of the test. > > Introduced in: X11R6.0 > Fixed in: xorg-server-21.1.17 and xwayland-24.1.7 > Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b32 > Found by: This issue was discovered by Nils Emmerich and reported by > Julian Suleder via ERNW Vulnerability Disclosure.
There is another case where the BigRequest length can cause an overflow, so that requires an additional fix: Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b Thanks to Peter Harris for pointing this out. A fix will be issued in xorg-server-21.1.18 and xwayland-24.1.8 shortly.
