Compare commits
2 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 2c679b8034 | |||
| 970471e8bb |
@@ -0,0 +1,38 @@
|
||||
From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Thu, 28 Nov 2024 14:09:04 +0100
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
|
||||
|
||||
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
|
||||
key syms to 0 but leave the key actions unchanged.
|
||||
|
||||
If later, the same function is called with a non-zero value for nGroups,
|
||||
this will cause a buffer overflow because the key actions are of the wrong
|
||||
size.
|
||||
|
||||
To avoid the issue, make sure to resize both the key syms and key actions
|
||||
when nGroups is 0.
|
||||
|
||||
CVE-2025-26597, ZDI-CAN-25683
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
src/xkb/XKBMisc.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
Index: libX11-1.8.10/src/xkb/XKBMisc.c
|
||||
===================================================================
|
||||
--- libX11-1.8.10.orig/src/xkb/XKBMisc.c
|
||||
+++ libX11-1.8.10/src/xkb/XKBMisc.c
|
||||
@@ -694,6 +694,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
|
||||
i = XkbSetNumGroups(i, 0);
|
||||
xkb->map->key_sym_map[key].group_info = i;
|
||||
XkbResizeKeySyms(xkb, key, 0);
|
||||
+ XkbResizeKeyActions(xkb, key, 0);
|
||||
return Success;
|
||||
}
|
||||
|
||||
BIN
libX11-1.8.10.tar.xz
LFS
Normal file
BIN
libX11-1.8.10.tar.xz
LFS
Normal file
Binary file not shown.
BIN
libX11-1.8.12.tar.xz
LFS
BIN
libX11-1.8.12.tar.xz
LFS
Binary file not shown.
@@ -1,41 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Mar 9 03:23:20 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- Update to 1.8.12; this release includes:
|
||||
* x11.pc: Add URL field (!280)
|
||||
* xkb: Bring over fixes from Xserver to shared XKB source files (!279)
|
||||
- supersedes U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 25 17:49:10 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
|
||||
Sat Feb 22 13:11:58 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
|
||||
* Buffer overflow in XkbChangeTypesOfKey()
|
||||
(CVE-2025-26597, bsc#1237431)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 3 09:09:16 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- Update to 1.8.11; this release includes:
|
||||
* Close xcb connection after freeing display structure to avoid XIO error
|
||||
when running synchronized (!264)
|
||||
* Don't allocate memory for a zero-sized list of directories when
|
||||
`SetFontPath()` is called with `ndirs == 0` (!266)
|
||||
* Fix `-Werror=array-bounds` build failures with gcc 14.2 when
|
||||
`MALLOC_0_RETURNS_NULL` is defined (!267)
|
||||
* Set `data` field to 0 when initializing new requests (!268)
|
||||
* ximcp: don't leak window if `XGetAtomName()` fails (!269)
|
||||
* ximcp: allow XNArea with OnTheSpot (!270)
|
||||
* ximcp: hide internal functions added in 1.8.10 (!271)
|
||||
* Handle `-Wextra-semi-stmt` warnings from clang (!272)
|
||||
* xkb: avoid undefined behavior due to left shift overflow (#225, !273)
|
||||
* Fix misuse of `UCSConvertCase()` in `XConvertCase()` (!274)
|
||||
* drop `pthread-stubs` dependency on Dragonfly, FreeBSD, & NetBSD (!277)
|
||||
|
||||
Note that a bug in libXrender versions prior to December's 0.9.12 release
|
||||
will cause them to fail to build with the XlibInt.h header from this release,
|
||||
so packagers should be sure to update to libXrender 0.9.12 as well.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 30 13:14:34 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
@@ -74,7 +43,9 @@ Mon Mar 25 01:45:51 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- update to 1.8.8
|
||||
* Fix XIM input sometimes jumbled (#198, !236)
|
||||
(bsc#1252250)
|
||||
* Fix _XkbReadGetDeviceInfoReply for nButtons == dev->buttons (!237)
|
||||
(bsc#1252250)
|
||||
* Drop ifdefs for platforms that are no longer supported (!242, !243)
|
||||
* Assorted memory handling cleanups
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package libX11
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: libX11
|
||||
Version: 1.8.12
|
||||
Version: 1.8.10
|
||||
Release: 0
|
||||
Summary: Core X11 protocol client library
|
||||
License: MIT
|
||||
@@ -32,6 +32,7 @@ Patch1: p_xlib_skip_ext_env.diff
|
||||
# PATCH-FIX-UPSTREAM en-locales.diff fdo#48596 bnc#388711 -- Add missing data for more en locales
|
||||
Patch2: en-locales.diff
|
||||
Patch3: u_no-longer-crash-in-XVisualIDFromVisual.patch
|
||||
Patch1237431: U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
@@ -121,6 +122,7 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
||||
%patch -P 1
|
||||
%patch -P 2
|
||||
%patch -P 3 -p1
|
||||
%patch -P 1237431 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
|
||||
Reference in New Issue
Block a user