Stefan Dirsch
ed85a28b3f
* This release contains the fixes for the issues reported in
today's security advisory: https://lists.x.org/archives/xorg-announce/2025-February/003584.html
CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597,
CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601.
* Additionally, it reverts a recent Xkb change to fix an issue
with gamescope.
- Drop patches fixed upstream:
* U_CVE-2025-26594-0001-Cursor-Refuse-to-free-the-root-cursor.patch
* U_CVE-2025-26594-0002-dix-keep-a-ref-to-the-rootCursor.patch
* U_CVE-2025-26595-0001-xkb-Fix-buffer-overflow-in-XkbVModMaskText.patch
* U_CVE-2025-26596-0001-xkb-Fix-computation-of-XkbSizeKeySyms.patch
* U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch
* U_CVE-2025-26598-0001-Xi-Fix-barrier-device-search.patch
* U_CVE-2025-26599-0001-composite-Handle-failure-to-redirect-in-compRedirect.patch
* U_CVE-2025-26599-0002-composite-initialize-border-clip-even-when-pixmap-al.patch
* U_CVE-2025-26600-0001-dix-Dequeue-pending-events-on-frozen-device-on-remov.patch
* U_CVE-2025-26601-0001-sync-Do-not-let-sync-objects-uninitialized.patch
* U_CVE-2025-26601-0002-sync-Check-values-before-applying-changes.patch
* U_CVE-2025-26601-0003-sync-Do-not-fail-SyncAddTriggerToSyncObject.patch
* U_CVE-2025-26601-0004-sync-Apply-changes-last-in-SyncChangeAlarmAttributes.patch
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xwayland?expand=0&rev=100
39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Thu, 28 Nov 2024 14:09:04 +0100
|
|
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
|
|
|
|
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
|
|
key syms to 0 but leave the key actions unchanged.
|
|
|
|
If later, the same function is called with a non-zero value for nGroups,
|
|
this will cause a buffer overflow because the key actions are of the wrong
|
|
size.
|
|
|
|
To avoid the issue, make sure to resize both the key syms and key actions
|
|
when nGroups is 0.
|
|
|
|
CVE-2025-26597, ZDI-CAN-25683
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
xkb/XKBMisc.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
Index: xwayland-24.1.4/xkb/XKBMisc.c
|
|
===================================================================
|
|
--- xwayland-24.1.4.orig/xkb/XKBMisc.c
|
|
+++ xwayland-24.1.4/xkb/XKBMisc.c
|
|
@@ -552,6 +552,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
|
|
i = XkbSetNumGroups(i, 0);
|
|
xkb->map->key_sym_map[key].group_info = i;
|
|
XkbResizeKeySyms(xkb, key, 0);
|
|
+ XkbResizeKeyActions(xkb, key, 0);
|
|
return Success;
|
|
}
|
|
|