pool/xkbcomp
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

1 Commits
factory ... slfo-main

Author SHA256 Message Date
Stefan Dirsch
23bed497f0 Fix for CVE-2018-15863/CVE-2018-15861/CVE-2018-15859/CVE-2018-15853 (bsc#1105832) 
- 0001-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch
  (CVE-2018-15863, bsc#1105832)
- 0002-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch
  (CVE-2018-15861, bsc#1105832)
- 0003-Fail-expression-lookup-on-invalid-atoms.patch
  (CVE-2018-15859, bsc#1105832)
- 0004-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch
  (CVE-2018-15853, bsc#1105832)
 2025-12-10 15:45:06 +01:00
6 changed files with 181 additions and 1 deletions
Expand all files Collapse all files

44
0001-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch Normal file
View File

@@ -0,0 +1,44 @@
From fa10dbc2ca8bcb45bcecb433520de755e628ca91 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniels@collabora.com>
Date: Mon, 26 Jun 2017 17:12:29 +0100
Subject: [PATCH 1/5] xkbcomp: Don't crash on no-op modmask expressions
If we have an expression of the form 'l1' in an interp section, we
unconditionally try to dereference its args, even if it has none.
CVE-2018-15863
Identical to libxkbcommon commit 96df3106d49438e442510c59acad306e94f3db4d
https://github.com/xkbcommon/libxkbcommon/commit/96df3106d49438e442510c59acad306e94f3db4d
Part-of: <https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/merge_requests/38>
---
compat.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/compat.c b/compat.c
index 84dc061..3ab8bd5 100644
--- a/compat.c
+++ b/compat.c
@@ -307,6 +307,8 @@ ResolveStateAndPredicate(const ExprDef *expr,
{
char *pred_txt =
XkbAtomText(NULL, expr->value.action.name, XkbMessage);
+ if (!pred_txt || !expr->value.action.args)
+ goto leave;
if (uStrCaseCmp(pred_txt, "noneof") == 0)
*pred_rtrn = XkbSI_NoneOf;
else if (uStrCaseCmp(pred_txt, "anyofornone") == 0)
@@ -319,7 +321,8 @@ ResolveStateAndPredicate(const ExprDef *expr,
*pred_rtrn = XkbSI_Exactly;
else
{
- ERROR("Illegal modifier predicate \"%s\"\n", pred_txt);
+leave: ERROR("Illegal modifier predicate \"%s\"\n",
+ (pred_txt ? pred_txt : "(none)"));
ACTION("Ignored\n");
return False;
}
--
2.51.0

37
0002-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch Normal file
View File

@@ -0,0 +1,37 @@
From c342635409cd687da0eda323ef4f165b11565052 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniels@collabora.com>
Date: Mon, 26 Jun 2017 17:21:45 +0100
Subject: [PATCH 2/5] xkbcomp: Don't falsely promise from ExprResolveLhs
Every user of ExprReturnLhs goes on to unconditionally dereference the
field return, which can be NULL if xkb_intern_atom fails. Return false
if this is the case, so we fail safely.
Testcase: splice geometry data into interp
CVE-2018-15861
Identical to libxkbcommon commit 38e1766bc6e20108948aec8a0b222a4bad0254e9
https://github.com/xkbcommon/libxkbcommon/commit/38e1766bc6e20108948aec8a0b222a4bad0254e9
Part-of: <https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/merge_requests/38>
---
expr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/expr.c b/expr.c
index f31f412..3df9d8f 100644
--- a/expr.c
+++ b/expr.c
@@ -136,7 +136,7 @@ ExprResolveLhs(const ExprDef *expr, ExprResult *elem_rtrn,
elem_rtrn->str = NULL;
field_rtrn->str = XkbAtomGetString(NULL, expr->value.str);
*index_rtrn = NULL;
- return True;
+ return (field_rtrn->str != NULL);
case ExprFieldRef:
elem_rtrn->str = XkbAtomGetString(NULL, expr->value.field.element);
field_rtrn->str = XkbAtomGetString(NULL, expr->value.field.field);
--
2.51.0

42
0003-Fail-expression-lookup-on-invalid-atoms.patch Normal file
View File

@@ -0,0 +1,42 @@
From 895e080b237e346a43a31edf9dee6143c2abf230 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniels@collabora.com>
Date: Mon, 30 Oct 2017 11:21:55 +0000
Subject: [PATCH 3/5] Fail expression lookup on invalid atoms
If we fail atom lookup, then we should not claim that we successfully
looked up the expression.
CVE-2018-15859
Identical to libxkbcommon commit bb4909d2d8fa6b08155e449986a478101e2b2634
https://github.com/xkbcommon/libxkbcommon/commit/bb4909d2d8fa6b08155e449986a478101e2b2634
Part-of: <https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/merge_requests/38>
---
expr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/expr.c b/expr.c
index 3df9d8f..27a71ee 100644
--- a/expr.c
+++ b/expr.c
@@ -141,11 +141,15 @@ ExprResolveLhs(const ExprDef *expr, ExprResult *elem_rtrn,
elem_rtrn->str = XkbAtomGetString(NULL, expr->value.field.element);
field_rtrn->str = XkbAtomGetString(NULL, expr->value.field.field);
*index_rtrn = NULL;
- return True;
+ return (elem_rtrn->str != NULL && field_rtrn->str != NULL);
case ExprArrayRef:
elem_rtrn->str = XkbAtomGetString(NULL, expr->value.array.element);
field_rtrn->str = XkbAtomGetString(NULL, expr->value.array.field);
*index_rtrn = expr->value.array.entry;
+ if (expr->value.array.element != None && elem_rtrn->str == NULL)
+ return False;
+ if (field_rtrn->str == NULL)
+ return False;
return True;
}
WSGO("Unexpected operator %d in ResolveLhs\n", expr->op);
--
2.51.0

41
0004-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch Normal file
View File

@@ -0,0 +1,41 @@
From da836764573298c53c625c6c237ab5211b2d3adf Mon Sep 17 00:00:00 2001
From: Ran Benita <ran234@gmail.com>
Date: Sat, 10 Mar 2018 23:10:47 +0200
Subject: [PATCH 4/5] xkbcomp: fix stack overflow when evaluating boolean
negation
The expression evaluator would go into an infinite recursion when
evaluating something like this as a boolean: `!True`. Instead of
recursing to just `True` and negating, it recursed to `!True` itself
again.
Bug inherited from xkbcomp.
Caught with the afl fuzzer.
CVE-2018-15853
Identical to libxkbcommon commit 1f9d1248c07cda8aaff762429c0dce146de8632a
https://github.com/xkbcommon/libxkbcommon/commit/1f9d1248c07cda8aaff762429c0dce146de8632a
Part-of: <https://gitlab.freedesktop.org/xorg/app/xkbcomp/-/merge_requests/38>
---
expr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/expr.c b/expr.c
index 27a71ee..f58cc7f 100644
--- a/expr.c
+++ b/expr.c
@@ -443,7 +443,7 @@ ExprResolveBoolean(const ExprDef *expr, ExprResult *val_rtrn,
return ok;
case OpInvert:
case OpNot:
- ok = ExprResolveBoolean(expr, val_rtrn, lookup, lookupPriv);
+ ok = ExprResolveBoolean(expr->value.child, val_rtrn, lookup, lookupPriv);
if (ok)
val_rtrn->uval = !val_rtrn->uval;
return ok;
--
2.51.0

12
xkbcomp.changes
View File

@@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Dec 10 14:30:10 UTC 2025 - Stefan Dirsch <sndirsch@suse.com>
- 0001-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch
(CVE-2018-15863, bsc#1105832)
- 0002-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch
(CVE-2018-15861, bsc#1105832)
- 0003-Fail-expression-lookup-on-invalid-atoms.patch
(CVE-2018-15859, bsc#1105832)
- 0004-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch
(CVE-2018-15853, bsc#1105832)
-------------------------------------------------------------------
Sun Feb 4 21:06:20 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

6
xkbcomp.spec
View File

@@ -24,6 +24,10 @@ License: MIT
Group: System/X11/Utilities
URL: https://xorg.freedesktop.org/
Source0: https://xorg.freedesktop.org/releases/individual/app/%{name}-%{version}.tar.xz
Patch1: 0001-xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch
Patch2: 0002-xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch
Patch3: 0003-Fail-expression-lookup-on-invalid-atoms.patch
Patch4: 0004-xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch
BuildRequires: bison
BuildRequires: pkgconfig
BuildRequires: pkgconfig(x11)
@@ -47,7 +51,7 @@ The xkbcomp keymap compiler converts a description of an XKB keymap
into one of several output formats.
%prep
%setup -q
%autosetup -p1
%build
%configure