Sync changes to SLFO-1.2 branch

2025-08-20 09:45:58 +02:00
5 changed files with 71 additions and 37 deletions
--- a/U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
+++ b/U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
@@ -0,0 +1,57 @@
+From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
+
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+
+There's actually two issues in the code that can lead to a buffer
+overflow.
+
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+
+Change the logic to skip the copy entirely if the bound check fails.
+
+CVE-2025-26595, ZDI-CAN-25545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+Index: libxkbfile-1.1.2/src/xkbtext.c
+===================================================================
+--- libxkbfile-1.1.2.orig/src/xkbtext.c
+++ libxkbfile-1.1.2/src/xkbtext.c
+@@ -176,14 +176,14 @@ XkbVModMaskText(Display *       dpy,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
+                if ((str - buf) + len > BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
--- a/libxkbfile-1.1.2.tar.xz
+++ b/libxkbfile-1.1.2.tar.xz
--- a/libxkbfile-1.2.0.tar.xz
+++ b/libxkbfile-1.2.0.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7f71884e5faf56fb0e823f3848599cf9b5a9afce51c90982baeb64f635233ebf
-size 57856
--- a/libxkbfile.changes
+++ b/libxkbfile.changes
@@ -1,36 +1,9 @@
 -------------------------------------------------------------------
-Mon Jan 26 13:32:17 UTC 2026 - Stefan Dirsch <sndirsch@suse.com>
-
- update to 1.2.0
-  * This release adds a new XkbRF_FreeVarDefs() API, and brings
-    over many fixes from the other copies of XKB code in the
-    various X.Org repos.
- supersedes U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
-
-------------------------------------------------------------------
-Tue Feb 25 17:41:52 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
+Sat Feb 22 11:11:57 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>

 - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch 
  * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429)

-------------------------------------------------------------------
-Mon Feb  5 11:51:49 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
-
- update to 1.1.3
-  * configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL
-  * Set close-on-exec when opening files
-  * _XkbMakeAtom: remove check for impossible case
-  * _XkbInitAtoms: check for malloc() failure
-  * XkbChangeAtomDisplay: stop leaking atom name
-  * XkbCFReportError: avoid -Wformat-nonliteral warning
-  * XkbWriteCFile: stop leaking header file ifdef name
-  * DefaultParser: avoid -Wimplicit-fallthrough warnings
-  * xkbtext.c: Add tbGetBufferString helper function
-  * XkbIndentText: Fix -Wsign-compare warning
-  * Fix -Wsign-compare warnings in xkbtext.c & xkmread.c
-  * Add a meson build system
-  switched to meson build system
-
 -------------------------------------------------------------------
 Thu Dec  8 20:55:13 UTC 2022 - Dirk Müller <dmueller@suse.com>

--- a/libxkbfile.spec
+++ b/libxkbfile.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libxkbfile
 #
-# Copyright (c) 2026 SUSE LLC and contributors
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@

 %define lname	libxkbfile1
 Name:           libxkbfile
-Version:        1.2.0
+Version:        1.1.2
 Release:        0
 Summary:        X11 keyboard file manipulation library
 License:        MIT
@@ -28,7 +28,10 @@ URL:            https://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libxkbfile/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
-BuildRequires:  meson
+Patch1237429:   U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
+BuildRequires:  autoconf >= 2.60
+BuildRequires:  automake
+BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(kbproto)
 BuildRequires:  pkgconfig(x11)
@@ -69,11 +72,12 @@ in %{lname}.
 %autosetup -p1

 %build
-%meson
-%meson_build
+%configure --disable-static
+%make_build

 %install
-%meson_install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print

 %post -n %{lname} -p /sbin/ldconfig
 %postun -n %{lname} -p /sbin/ldconfig