ALAS2-2025-2918

Amazon Linux 2 Security Advisory: ALAS2-2025-2918
Advisory Released Date: 2025-07-10
Advisory Updated Date: 2025-07-10

Severity: Medium

References: CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. (CVE-2025-49175)

A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. (CVE-2025-49176)

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. (CVE-2025-49178)

The RecordSanityCheckRegisterClients() function in the X Record extension implementation of the Xserver checks for the request length, but does not check for integer overflow.

A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. (CVE-2025-49179)

A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. (CVE-2025-49180)

Affected Packages:

xorg-x11-server

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update xorg-x11-server to update your system.

New Packages:

aarch64:
    xorg-x11-server-common-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-devel-1.20.4-22.amzn2.0.9.aarch64
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.9.aarch64

i686:
    xorg-x11-server-common-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-devel-1.20.4-22.amzn2.0.9.i686
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.9.i686

noarch:
    xorg-x11-server-source-1.20.4-22.amzn2.0.9.noarch

src:
    xorg-x11-server-1.20.4-22.amzn2.0.9.src

x86_64:
    xorg-x11-server-common-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xorg-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xnest-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xdmx-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xvfb-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xephyr-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-Xwayland-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-devel-1.20.4-22.amzn2.0.9.x86_64
    xorg-x11-server-debuginfo-1.20.4-22.amzn2.0.9.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-49175, CVE-2025-49176, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180

Mitre: CVE-2025-49175, CVE-2025-49176, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180