xwayland: Fix CVE-2025-26597

Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 (From OE-Core rev: a7f4c6b1946e7215d8df561340d7a1cd0b2d5c27) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-04 17:49:14 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:35:36 -0800
commit: d99c2b9b65b2886cff63f626b2316e8130e4c96f (patch)
tree: d914915390bb41b3a68be0753c98c30c743a7d16
parent: 775d6023272d8b7df8f6f88f2921b292011ebd5e (diff)
download: poky-d99c2b9b65b2886cff63f626b2316e8130e4c96f.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
new file mode 100644
index 0000000000..b0735d0b46
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
@@ -0,0 +1,46 @@
+From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 14:09:04 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
+If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
+key syms to 0 but leave the key actions unchanged.
+If later, the same function is called with a non-zero value for nGroups,
+this will cause a buffer overflow because the key actions are of the wrong
+size.
+To avoid the issue, make sure to resize both the key syms and key actions
+when nGroups is 0.
+CVE-2025-26597, ZDI-CAN-25683
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949]
+CVE: CVE-2025-26597
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/XKBMisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
+index abbfed90eb..fd180fad2c 100644
+--- a/xkb/XKBMisc.c
+++ b/xkb/XKBMisc.c
+@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
+         i = XkbSetNumGroups(i, 0);
+         xkb->map->key_sym_map[key].group_info = i;
+         XkbResizeKeySyms(xkb, key, 0);
+        XkbResizeKeyActions(xkb, key, 0);
+         return Success;
+     }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 18fe2dbc98..0303e39de4 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26594-2.patch \
           file://CVE-2025-26595.patch \
           file://CVE-2025-26596.patch \
+           file://CVE-2025-26597.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-04 17:49:14 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:35:36 -0800
commit	d99c2b9b65b2886cff63f626b2316e8130e4c96f (patch)
tree	d914915390bb41b3a68be0753c98c30c743a7d16
parent	775d6023272d8b7df8f6f88f2921b292011ebd5e (diff)
download	poky-d99c2b9b65b2886cff63f626b2316e8130e4c96f.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
@@ -0,0 +1,46 @@
		1	From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Thu, 28 Nov 2024 14:09:04 +0100
		4	Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
		5
		6	If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
		7	key syms to 0 but leave the key actions unchanged.
		8
		9	If later, the same function is called with a non-zero value for nGroups,
		10	this will cause a buffer overflow because the key actions are of the wrong
		11	size.
		12
		13	To avoid the issue, make sure to resize both the key syms and key actions
		14	when nGroups is 0.
		15
		16	CVE-2025-26597, ZDI-CAN-25683
		17
		18	This vulnerability was discovered by:
		19	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		20
		21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		22	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		23	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		24
		25	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949]
		26	CVE: CVE-2025-26597
		27	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		28	---
		29	xkb/XKBMisc.c \| 1 +
		30	1 file changed, 1 insertion(+)
		31
		32	diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
		33	index abbfed90eb..fd180fad2c 100644
		34	--- a/xkb/XKBMisc.c
		35	+++ b/xkb/XKBMisc.c
		36	@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
		37	i = XkbSetNumGroups(i, 0);
		38	xkb->map->key_sym_map[key].group_info = i;
		39	XkbResizeKeySyms(xkb, key, 0);
		40	+ XkbResizeKeyActions(xkb, key, 0);
		41	return Success;
		42	}
		43
		44	--
		45	GitLab
		46


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 18fe2dbc98..0303e39de4 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
33	file://CVE-2025-26594-2.patch \	33	file://CVE-2025-26594-2.patch \
34	file://CVE-2025-26595.patch \	34	file://CVE-2025-26595.patch \
35	file://CVE-2025-26596.patch \	35	file://CVE-2025-26596.patch \
		36	file://CVE-2025-26597.patch \
36	"	37	"
37	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	38	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
38		39