xwayland: Fix CVE-2025-26595

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 (From OE-Core rev: f801e34c07472af8384e69da27271584ee6a8d1c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-05 19:02:08 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-08 06:22:56 -0800
commit: 612f458a2e46504588ce58ee3a25670db2fd61c8 (patch)
tree: 38607160118fb5975524bdee30f4d848c3ff5b31 /meta
parent: 4c3215680773dc68930b588941d5b3c4ee5396e6 (diff)
download: poky-612f458a2e46504588ce58ee3a25670db2fd61c8.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch
new file mode 100644
index 0000000000..a7478d9e2a
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch
@@ -0,0 +1,65 @@
+From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+There's actually two issues in the code that can lead to a buffer
+overflow.
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+Change the logic to skip the copy entirely if the bound check fails.
+CVE-2025-26595, ZDI-CAN-25545
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87]
+CVE: CVE-2025-26595
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index 0184664207..93262528bb 100644
+--- a/xkb/xkbtext.c
+++ b/xkb/xkbtext.c
+@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
+                if ((str - buf) + len > VMOD_BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 3af0bb9012..2215d2fe4d 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2024-9632.patch \
           file://CVE-2025-26594-1.patch \
           file://CVE-2025-26594-2.patch \
+           file://CVE-2025-26595.patch \
 "
 SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-05 19:02:08 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-08 06:22:56 -0800
commit	612f458a2e46504588ce58ee3a25670db2fd61c8 (patch)
tree	38607160118fb5975524bdee30f4d848c3ff5b31 /meta
parent	4c3215680773dc68930b588941d5b3c4ee5396e6 (diff)
download	poky-612f458a2e46504588ce58ee3a25670db2fd61c8.tar.gz

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch
@@ -0,0 +1,65 @@
		1	From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Wed, 27 Nov 2024 14:41:45 +0100
		4	Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
		5
		6	The code in XkbVModMaskText() allocates a fixed sized buffer on the
		7	stack and copies the virtual mod name.
		8
		9	There's actually two issues in the code that can lead to a buffer
		10	overflow.
		11
		12	First, the bound check mixes pointers and integers using misplaced
		13	parenthesis, defeating the bound check.
		14
		15	But even though, if the check fails, the data is still copied, so the
		16	stack overflow will occur regardless.
		17
		18	Change the logic to skip the copy entirely if the bound check fails.
		19
		20	CVE-2025-26595, ZDI-CAN-25545
		21
		22	This vulnerability was discovered by:
		23	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		24
		25	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		26	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		27	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		28
		29	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87]
		30	CVE: CVE-2025-26595
		31	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		32	---
		33	xkb/xkbtext.c \| 16 ++++++++--------
		34	1 file changed, 8 insertions(+), 8 deletions(-)
		35
		36	diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
		37	index 0184664207..93262528bb 100644
		38	--- a/xkb/xkbtext.c
		39	+++ b/xkb/xkbtext.c
		40	@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
		41	len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
		42	if (format == XkbCFile)
		43	len += 4;
		44	- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
		45	- if (str != buf) {
		46	- if (format == XkbCFile)
		47	- *str++ = '\|';
		48	- else
		49	- *str++ = '+';
		50	- len--;
		51	- }
		52	+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
		53	+ continue; /* Skip */
		54	+ if (str != buf) {
		55	+ if (format == XkbCFile)
		56	+ *str++ = '\|';
		57	+ else
		58	+ *str++ = '+';
		59	+ len--;
		60	}
		61	if (format == XkbCFile)
		62	sprintf(str, "%sMask", tmp);
		63	--
		64	GitLab
		65


diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 3af0bb9012..2215d2fe4d 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
13	file://CVE-2024-9632.patch \	13	file://CVE-2024-9632.patch \
14	file://CVE-2025-26594-1.patch \	14	file://CVE-2025-26594-1.patch \
15	file://CVE-2025-26594-2.patch \	15	file://CVE-2025-26594-2.patch \
		16	file://CVE-2025-26595.patch \
16	"	17	"
17	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"	18	SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
18		19