Stefan Dirsch
f15e897874
U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * Use-after-free of the root cursor (CVE-2025-26594, bsc#1237427) - U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * Buffer overflow in XkbVModMaskText() (CVE-2025-26595, bsc#1237429) - U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * Heap overflow in XkbWriteKeySyms() (CVE-2025-26596, bsc#1237430) - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) - U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * Out-of-bounds write in CreatePointerBarrierClient() (CVE-2025-26598, bsc#1237432) - U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * Use of uninitialized pointer in compRedirectWindow() (CVE-2025-26599, bsc#1237433) - U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * Use-after-free in PlayReleasedEvents() (CVE-2025-26600, bsc#1237434) - U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch * Use-after-free in SyncInitTrigger() (CVE-2025-26601, bsc#1237435) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=907
58 lines
2.1 KiB
Diff
58 lines
2.1 KiB
Diff
From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Wed, 27 Nov 2024 14:41:45 +0100
|
|
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
|
|
|
|
The code in XkbVModMaskText() allocates a fixed sized buffer on the
|
|
stack and copies the virtual mod name.
|
|
|
|
There's actually two issues in the code that can lead to a buffer
|
|
overflow.
|
|
|
|
First, the bound check mixes pointers and integers using misplaced
|
|
parenthesis, defeating the bound check.
|
|
|
|
But even though, if the check fails, the data is still copied, so the
|
|
stack overflow will occur regardless.
|
|
|
|
Change the logic to skip the copy entirely if the bound check fails.
|
|
|
|
CVE-2025-26595, ZDI-CAN-25545
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
xkb/xkbtext.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
Index: xwayland-22.1.5/xkb/xkbtext.c
|
|
===================================================================
|
|
--- xwayland-22.1.5.orig/xkb/xkbtext.c
|
|
+++ xwayland-22.1.5/xkb/xkbtext.c
|
|
@@ -175,14 +175,14 @@ XkbVModMaskText(XkbDescPtr xkb,
|
|
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
|
|
if (format == XkbCFile)
|
|
len += 4;
|
|
- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
|
|
- if (str != buf) {
|
|
- if (format == XkbCFile)
|
|
- *str++ = '|';
|
|
- else
|
|
- *str++ = '+';
|
|
- len--;
|
|
- }
|
|
+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
|
|
+ continue; /* Skip */
|
|
+ if (str != buf) {
|
|
+ if (format == XkbCFile)
|
|
+ *str++ = '|';
|
|
+ else
|
|
+ *str++ = '+';
|
|
+ len--;
|
|
}
|
|
if (format == XkbCFile)
|
|
sprintf(str, "%sMask", tmp);
|