ALAS2023-2025-1062

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1062
Advisory Released Date: 2025-07-10
Advisory Updated Date: 2025-07-10

Severity: Medium

References: CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. (CVE-2025-49175)

A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. (CVE-2025-49176)

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests. (CVE-2025-49177)

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. (CVE-2025-49178)

The RecordSanityCheckRegisterClients() function in the X Record extension implementation of the Xserver checks for the request length, but does not check for integer overflow.

A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. (CVE-2025-49179)

A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. (CVE-2025-49180)

Affected Packages:

xorg-x11-server-Xwayland

Issue Correction:
Run dnf update xorg-x11-server-Xwayland --releasever 2023.8.20250707 to update your system.

New Packages:

aarch64:
    xorg-x11-server-Xwayland-debuginfo-24.1.3-1.amzn2023.0.2.aarch64
    xorg-x11-server-Xwayland-devel-24.1.3-1.amzn2023.0.2.aarch64
    xorg-x11-server-Xwayland-24.1.3-1.amzn2023.0.2.aarch64
    xorg-x11-server-Xwayland-debugsource-24.1.3-1.amzn2023.0.2.aarch64

src:
    xorg-x11-server-Xwayland-24.1.3-1.amzn2023.0.2.src

x86_64:
    xorg-x11-server-Xwayland-devel-24.1.3-1.amzn2023.0.2.x86_64
    xorg-x11-server-Xwayland-debuginfo-24.1.3-1.amzn2023.0.2.x86_64
    xorg-x11-server-Xwayland-24.1.3-1.amzn2023.0.2.x86_64
    xorg-x11-server-Xwayland-debugsource-24.1.3-1.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-49175, CVE-2025-49176, CVE-2025-49177, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180

Mitre: CVE-2025-49175, CVE-2025-49176, CVE-2025-49177, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180