fix CVE-2025-26595

2025-02-27 14:30:42 +08:00 · 2025-02-27 14:30:42 +08:00 · e5808cccfd
commit e5808cccfd
parent b9e396226c
2 changed files with 64 additions and 1 deletions
--- a/backport-CVE-2025-26595.patch
+++ b/backport-CVE-2025-26595.patch
@ -0,0 +1,58 @@
+From 65977c33a6735b0ffc7d2c691243452f75c1f68c Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
+
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+
+There's actually two issues in the code that can lead to a buffer
+overflow.
+
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+
+Change the logic to skip the copy entirely if the bound check fails.
+
+(cherry picked from xorg/xserver@11fcda8753e994e15eb915d28cf487660ec8e722)
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/xkbtext.c b/src/xkbtext.c
+index 4459ca7..59429b2 100644
+--- a/src/xkbtext.c
+++ b/src/xkbtext.c
+@@ -190,14 +190,14 @@ XkbVModMaskText(Display *       dpy,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
+                if ((str - buf) + len > BUFFER_SIZE)
+                    continue; /* Skip */
+                if (str != buf) {
+                    if (format == XkbCFile)
+                        *str++ = '|';
+                    else
+                        *str++ = '+';
+                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+GitLab
+
--- a/libxkbfile.spec
+++ b/libxkbfile.spec
@ -1,11 +1,13 @@
 Name:		libxkbfile
 Version:	1.1.0
-Release:	5
+Release:	6
 Summary:	X11 keyboard file manipulation library
 License:	MIT
 URL:		https://www.x.org
 Source0:	https://www.x.org/releases/individual/lib/%{name}-%{version}.tar.bz2

+Patch6000:      backport-CVE-2025-26595.patch
+
 BuildRequires:	gcc xorg-x11-proto-devel libX11-devel

 %description
@ -49,6 +51,9 @@ make check
 %{_libdir}/%{name}.so

 %changelog
+* Thu Feb 27 2025 lingsheng <lingsheng1@h-partners.com> - 1.1.0-6
+- fix CVE-2025-26595
+
 * Wed Oct 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.1.0-5
 - Rebuild for next release