pool/xwayland
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xwayland/U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch

39 lines
1.3 KiB
Diff
Raw Normal View History

- Update to version 24.1.6: * This release contains the fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601. * Additionally, it reverts a recent Xkb change to fix an issue with gamescope. - Drop patches fixed upstream: * U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch * U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch * U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch * U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch * U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch * U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch * U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch * U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch * U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch * U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch * U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch * U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=100
2025-02-26 18:05:32 +00:00
From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 28 Nov 2024 14:09:04 +0100
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
xkb/XKBMisc.c | 1 +
1 file changed, 1 insertion(+)
Index: xwayland-24.1.4/xkb/XKBMisc.c
===================================================================
--- xwayland-24.1.4.orig/xkb/XKBMisc.c
+++ xwayland-24.1.4/xkb/XKBMisc.c
@@ -552,6 +552,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
i = XkbSetNumGroups(i, 0);
xkb->map->key_sym_map[key].group_info = i;
XkbResizeKeySyms(xkb, key, 0);
+ XkbResizeKeyActions(xkb, key, 0);
return Success;
}
Reference in New Issue Copy Permalink