Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 019f5506ee |
@@ -1,57 +0,0 @@
|
||||
From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 27 Nov 2024 14:41:45 +0100
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
|
||||
|
||||
The code in XkbVModMaskText() allocates a fixed sized buffer on the
|
||||
stack and copies the virtual mod name.
|
||||
|
||||
There's actually two issues in the code that can lead to a buffer
|
||||
overflow.
|
||||
|
||||
First, the bound check mixes pointers and integers using misplaced
|
||||
parenthesis, defeating the bound check.
|
||||
|
||||
But even though, if the check fails, the data is still copied, so the
|
||||
stack overflow will occur regardless.
|
||||
|
||||
Change the logic to skip the copy entirely if the bound check fails.
|
||||
|
||||
CVE-2025-26595, ZDI-CAN-25545
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
src/xkbtext.c | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
Index: libxkbfile-1.1.2/src/xkbtext.c
|
||||
===================================================================
|
||||
--- libxkbfile-1.1.2.orig/src/xkbtext.c
|
||||
+++ libxkbfile-1.1.2/src/xkbtext.c
|
||||
@@ -176,14 +176,14 @@ XkbVModMaskText(Display * dpy,
|
||||
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
|
||||
if (format == XkbCFile)
|
||||
len += 4;
|
||||
- if ((str - (buf + len)) <= BUFFER_SIZE) {
|
||||
- if (str != buf) {
|
||||
- if (format == XkbCFile)
|
||||
- *str++ = '|';
|
||||
- else
|
||||
- *str++ = '+';
|
||||
- len--;
|
||||
- }
|
||||
+ if ((str - buf) + len > BUFFER_SIZE)
|
||||
+ continue; /* Skip */
|
||||
+ if (str != buf) {
|
||||
+ if (format == XkbCFile)
|
||||
+ *str++ = '|';
|
||||
+ else
|
||||
+ *str++ = '+';
|
||||
+ len--;
|
||||
}
|
||||
if (format == XkbCFile)
|
||||
sprintf(str, "%sMask", tmp);
|
||||
@@ -1,9 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Feb 22 11:11:57 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
|
||||
* Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 8 20:55:13 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
|
||||
@@ -28,7 +28,6 @@ URL: https://xorg.freedesktop.org/
|
||||
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libxkbfile/
|
||||
Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz
|
||||
Source1: baselibs.conf
|
||||
Patch1237429: U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
|
||||
BuildRequires: autoconf >= 2.60
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
@@ -69,7 +68,7 @@ This package contains the development headers for the library found
|
||||
in %{lname}.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
%setup -q
|
||||
|
||||
%build
|
||||
%configure --disable-static
|
||||
|
||||
Reference in New Issue
Block a user