xserver-xorg: Fix for CVE-2025-26595

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 (From OE-Core rev: 78d718f0a683f9fb81aa24b39f148d2acf2e1fc6) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-02-27 18:02:00 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-04 08:46:02 -0800
commit: ee975a71000cdd1ca517f589ac9152e7fea7b275 (patch)
tree: 84444172c45e0ab237e0bc0fbd06676933bb5a48 /meta/recipes-graphics
parent: 7a3fba1587550ac21b81879b2a541d2694507a38 (diff)
download: poky-ee975a71000cdd1ca517f589ac9152e7fea7b275.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
new file mode 100644
index 0000000000..a7478d9e2a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
@@ -0,0 +1,65 @@
+From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+There's actually two issues in the code that can lead to a buffer
+overflow.
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+Change the logic to skip the copy entirely if the bound check fails.
+CVE-2025-26595, ZDI-CAN-25545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87]
+CVE: CVE-2025-26595
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index 0184664207..93262528bb 100644
+--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
+@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
+                if ((str - buf) + len > VMOD_BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 11003db04d..94381a1a16 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2024-9632.patch \
           file://CVE-2025-26594-1.patch \
           file://CVE-2025-26594-2.patch \
+           file://CVE-2025-26595.patch \
           "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-02-27 18:02:00 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-04 08:46:02 -0800
commit	ee975a71000cdd1ca517f589ac9152e7fea7b275 (patch)
tree	84444172c45e0ab237e0bc0fbd06676933bb5a48 /meta/recipes-graphics
parent	7a3fba1587550ac21b81879b2a541d2694507a38 (diff)
download	poky-ee975a71000cdd1ca517f589ac9152e7fea7b275.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26595.patch
@@ -0,0 +1,65 @@
		1	From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 27 Nov 2024 14:41:45 +0100
		4	Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
		5
		6	The code in XkbVModMaskText() allocates a fixed sized buffer on the
		7	stack and copies the virtual mod name.
		8
		9	There's actually two issues in the code that can lead to a buffer
		10	overflow.
		11
		12	First, the bound check mixes pointers and integers using misplaced
		13	parenthesis, defeating the bound check.
		14
		15	But even though, if the check fails, the data is still copied, so the
		16	stack overflow will occur regardless.
		17
		18	Change the logic to skip the copy entirely if the bound check fails.
		19
		20	CVE-2025-26595, ZDI-CAN-25545
		21
		22	This vulnerability was discovered by:
		23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		24
		25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		26	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		28
		29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87]
		30	CVE: CVE-2025-26595
		31	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		32	---
		33	xkb/xkbtext.c \| 16 ++++++++--------
		34	1 file changed, 8 insertions(+), 8 deletions(-)
		35
		36	diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
		37	index 0184664207..93262528bb 100644
		38	--- a/xkb/xkbtext.c
		39	+++ b/xkb/xkbtext.c
		40	@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
		41	len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
		42	if (format == XkbCFile)
		43	len += 4;
		44	- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
		45	- if (str != buf) {
		46	- if (format == XkbCFile)
		47	- *str++ = '\|';
		48	- else
		49	- *str++ = '+';
		50	- len--;
		51	- }
		52	+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
		53	+ continue; /* Skip */
		54	+ if (str != buf) {
		55	+ if (format == XkbCFile)
		56	+ *str++ = '\|';
		57	+ else
		58	+ *str++ = '+';
		59	+ len--;
		60	}
		61	if (format == XkbCFile)
		62	sprintf(str, "%sMask", tmp);
		63	--
		64	GitLab
		65


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 11003db04d..94381a1a16 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -24,6 +24,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
24	file://CVE-2024-9632.patch \	24	file://CVE-2024-9632.patch \
25	file://CVE-2025-26594-1.patch \	25	file://CVE-2025-26594-1.patch \
26	file://CVE-2025-26594-2.patch \	26	file://CVE-2025-26594-2.patch \
		27	file://CVE-2025-26595.patch \
27	"	28	"
28	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"	29	SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
29		30