packages/libxkbfile
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-26595

Browse Source
This commit is contained in:
lingsheng 2025-02-27 14:30:42 +08:00
parent b9e396226c
commit e5808cccfd
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
backport-CVE-2025-26595.patch Normal file
View File

@ -0,0 +1,58 @@
From 65977c33a6735b0ffc7d2c691243452f75c1f68c Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 27 Nov 2024 14:41:45 +0100
Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the virtual mod name.
There's actually two issues in the code that can lead to a buffer
overflow.
First, the bound check mixes pointers and integers using misplaced
parenthesis, defeating the bound check.
But even though, if the check fails, the data is still copied, so the
stack overflow will occur regardless.
Change the logic to skip the copy entirely if the bound check fails.
(cherry picked from xorg/xserver@11fcda8753e994e15eb915d28cf487660ec8e722)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xkbtext.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/xkbtext.c b/src/xkbtext.c
index 4459ca7..59429b2 100644
--- a/src/xkbtext.c
+++ b/src/xkbtext.c
@@ -190,14 +190,14 @@ XkbVModMaskText(Display * dpy,
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
if (format == XkbCFile)
len += 4;
- if ((str - (buf + len)) <= BUFFER_SIZE) {
- if (str != buf) {
- if (format == XkbCFile)
- *str++ = '|';
- else
- *str++ = '+';
- len--;
- }
+ if ((str - buf) + len > BUFFER_SIZE)
+ continue; /* Skip */
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+ else
+ *str++ = '+';
+ len--;
}
if (format == XkbCFile)
sprintf(str, "%sMask", tmp);
--
GitLab

7
libxkbfile.spec
View File

@ -1,11 +1,13 @@
Name: libxkbfile Name: libxkbfile
Version: 1.1.0 Version: 1.1.0
Release: 5 Release: 6
Summary: X11 keyboard file manipulation library Summary: X11 keyboard file manipulation library
License: MIT License: MIT
URL: https://www.x.org URL: https://www.x.org
Source0: https://www.x.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Source0: https://www.x.org/releases/individual/lib/%{name}-%{version}.tar.bz2
Patch6000: backport-CVE-2025-26595.patch
BuildRequires: gcc xorg-x11-proto-devel libX11-devel BuildRequires: gcc xorg-x11-proto-devel libX11-devel
%description %description
@ -49,6 +51,9 @@ make check
%{_libdir}/%{name}.so %{_libdir}/%{name}.so
%changelog %changelog
* Thu Feb 27 2025 lingsheng <lingsheng1@h-partners.com> - 1.1.0-6
- fix CVE-2025-26595
* Wed Oct 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.1.0-5 * Wed Oct 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.1.0-5
- Rebuild for next release - Rebuild for next release