2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
new file mode 100644
index 0000000000..b0735d0b46
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
@@ -0,0 +1,46 @@
+From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 14:09:04 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
+If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
+key syms to 0 but leave the key actions unchanged.
+If later, the same function is called with a non-zero value for nGroups,
+this will cause a buffer overflow because the key actions are of the wrong
+size.
+To avoid the issue, make sure to resize both the key syms and key actions
+when nGroups is 0.
+CVE-2025-26597, ZDI-CAN-25683
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949]
+CVE: CVE-2025-26597
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/XKBMisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
+index abbfed90eb..fd180fad2c 100644
+--- a/xkb/XKBMisc.c
+++ b/xkb/XKBMisc.c
+@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
+         i = XkbSetNumGroups(i, 0);
+         xkb->map->key_sym_map[key].group_info = i;
+         XkbResizeKeySyms(xkb, key, 0);
+        XkbResizeKeyActions(xkb, key, 0);
+         return Success;
+     }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 18fe2dbc98..0303e39de4 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
           file://CVE-2025-26594-2.patch \
           file://CVE-2025-26595.patch \
           file://CVE-2025-26596.patch \
+           file://CVE-2025-26597.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch
@@ -0,0 +1,46 @@
		1	From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001
		2	From: Olivier Fourdan <ofourdan@redhat.com>
		3	Date: Thu, 28 Nov 2024 14:09:04 +0100
		4	Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
		5
		6	If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
		7	key syms to 0 but leave the key actions unchanged.
		8
		9	If later, the same function is called with a non-zero value for nGroups,
		10	this will cause a buffer overflow because the key actions are of the wrong
		11	size.
		12
		13	To avoid the issue, make sure to resize both the key syms and key actions
		14	when nGroups is 0.
		15
		16	CVE-2025-26597, ZDI-CAN-25683
		17
		18	This vulnerability was discovered by:
		19	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		20
		21	Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
		22	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
		23	Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
		24
		25	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949]
		26	CVE: CVE-2025-26597
		27	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		28	---
		29	xkb/XKBMisc.c \| 1 +
		30	1 file changed, 1 insertion(+)
		31
		32	diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
		33	index abbfed90eb..fd180fad2c 100644
		34	--- a/xkb/XKBMisc.c
		35	+++ b/xkb/XKBMisc.c
		36	@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
		37	i = XkbSetNumGroups(i, 0);
		38	xkb->map->key_sym_map[key].group_info = i;
		39	XkbResizeKeySyms(xkb, key, 0);
		40	+ XkbResizeKeyActions(xkb, key, 0);
		41	return Success;
		42	}
		43
		44	--
		45	GitLab
		46


diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 18fe2dbc98..0303e39de4 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
33	file://CVE-2025-26594-2.patch \	33	file://CVE-2025-26594-2.patch \
34	file://CVE-2025-26595.patch \	34	file://CVE-2025-26595.patch \
35	file://CVE-2025-26596.patch \	35	file://CVE-2025-26596.patch \
		36	file://CVE-2025-26597.patch \
36	"	37	"
37	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"	38	SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
38		39