diff options
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch | 49 | ||||
| -rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-26596.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
| 3 | Date: Thu, 28 Nov 2024 11:49:34 +0100 | ||
| 4 | Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms | ||
| 5 | |||
| 6 | The computation of the length in XkbSizeKeySyms() differs from what is | ||
| 7 | actually written in XkbWriteKeySyms(), leading to a heap overflow. | ||
| 8 | |||
| 9 | Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() | ||
| 10 | does. | ||
| 11 | |||
| 12 | CVE-2025-26596, ZDI-CAN-25543 | ||
| 13 | |||
| 14 | This vulnerability was discovered by: | ||
| 15 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
| 16 | |||
| 17 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
| 18 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
| 19 | Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828> | ||
| 20 | |||
| 21 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] | ||
| 22 | CVE: CVE-2025-26596 | ||
| 23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 24 | --- | ||
| 25 | xkb/xkb.c | 8 ++++---- | ||
| 26 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
| 29 | index 85659382da..744dba63d7 100644 | ||
| 30 | --- a/xkb/xkb.c | ||
| 31 | +++ b/xkb/xkb.c | ||
| 32 | @@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) | ||
| 33 | len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); | ||
| 34 | symMap = &xkb->map->key_sym_map[rep->firstKeySym]; | ||
| 35 | for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { | ||
| 36 | - if (symMap->offset != 0) { | ||
| 37 | - nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; | ||
| 38 | - nSyms += nSymsThisKey; | ||
| 39 | - } | ||
| 40 | + nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; | ||
| 41 | + if (nSymsThisKey == 0) | ||
| 42 | + continue; | ||
| 43 | + nSyms += nSymsThisKey; | ||
| 44 | } | ||
| 45 | len += nSyms * 4; | ||
| 46 | rep->totalSyms = nSyms; | ||
| 47 | -- | ||
| 48 | GitLab | ||
| 49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index 94381a1a16..ec6550e545 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb | |||
| @@ -25,6 +25,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
| 25 | file://CVE-2025-26594-1.patch \ | 25 | file://CVE-2025-26594-1.patch \ |
| 26 | file://CVE-2025-26594-2.patch \ | 26 | file://CVE-2025-26594-2.patch \ |
| 27 | file://CVE-2025-26595.patch \ | 27 | file://CVE-2025-26595.patch \ |
| 28 | file://CVE-2025-26596.patch \ | ||
| 28 | " | 29 | " |
| 29 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" | 30 | SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" |
| 30 | 31 | ||
