diff --git a/CVE-2025-68114-capstone-4.x.patch b/CVE-2025-68114-capstone-4.x.patch new file mode 100644 index 0000000..51fc08c --- /dev/null +++ b/CVE-2025-68114-capstone-4.x.patch @@ -0,0 +1,82 @@ +From: Jon Maloy +Date: Thu, 12 Mar 2026 +Subject: [PATCH] Fix CVE-2025-68114 and CVE-2025-67873 + +Backport of upstream commit 2c7797182a1618be12017d7d41e0b6581d5d529e +to capstone 4.x branch. + +CVE-2025-68114: An unchecked vsnprintf return in SStream_concat lets +a malicious cs_opt_mem.vsnprintf drive SStream's index negative or +past the end, leading to a stack buffer underflow/overflow. + +CVE-2025-67873: skipdata length is not bounds-checked, allowing a +user-provided skipdata callback to write more than 24 bytes into +cs_insn.bytes, causing a heap buffer overflow. + +Resolves: CVE-2025-68114, CVE-2025-67873 +--- +diff -ruN a/cs.c b/cs.c +--- a/cs.c 2020-05-08 06:03:30.000000000 -0400 ++++ b/cs.c 2026-03-12 20:39:00.815956322 -0400 +@@ -918,8 +918,8 @@ + // we have to skip some amount of data, depending on arch & mode + insn_cache->id = 0; // invalid ID for this "data" instruction + insn_cache->address = offset; +- insn_cache->size = (uint16_t)skipdata_bytes; +- memcpy(insn_cache->bytes, buffer, skipdata_bytes); ++ insn_cache->size = (uint16_t)(skipdata_bytes > sizeof(insn_cache->bytes) ? sizeof(insn_cache->bytes) : skipdata_bytes); ++ memcpy(insn_cache->bytes, buffer, skipdata_bytes > sizeof(insn_cache->bytes) ? sizeof(insn_cache->bytes) : skipdata_bytes); + #ifdef CAPSTONE_DIET + insn_cache->mnemonic[0] = '\0'; + insn_cache->op_str[0] = '\0'; +@@ -1128,12 +1128,12 @@ + // we have to skip some amount of data, depending on arch & mode + insn->id = 0; // invalid ID for this "data" instruction + insn->address = *address; +- insn->size = (uint16_t)skipdata_bytes; ++ insn->size = (uint16_t)(skipdata_bytes > sizeof(insn->bytes) ? sizeof(insn->bytes) : skipdata_bytes); + #ifdef CAPSTONE_DIET + insn->mnemonic[0] = '\0'; + insn->op_str[0] = '\0'; + #else +- memcpy(insn->bytes, *code, skipdata_bytes); ++ memcpy(insn->bytes, *code, skipdata_bytes > sizeof(insn->bytes) ? sizeof(insn->bytes) : skipdata_bytes); + strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic, + sizeof(insn->mnemonic) - 1); + skipdata_opstr(insn->op_str, *code, skipdata_bytes); +diff -ruN a/SStream.c b/SStream.c +--- a/SStream.c 2020-05-08 06:03:30.000000000 -0400 ++++ b/SStream.c 2026-03-12 20:39:00.809664584 -0400 +@@ -48,6 +48,10 @@ + va_start(ap, fmt); + ret = cs_vsnprintf(ss->buffer + ss->index, sizeof(ss->buffer) - (ss->index + 1), fmt, ap); + va_end(ap); ++ if (ret < 0) { ++ return; ++ } ++ SSTREAM_OVERFLOW_CHECK(ss, ret); + ss->index += ret; + #endif + } +diff -ruN a/SStream.h b/SStream.h +--- a/SStream.h 2020-05-08 06:03:30.000000000 -0400 ++++ b/SStream.h 2026-03-12 20:39:00.808249452 -0400 +@@ -8,9 +8,17 @@ + + typedef struct SStream { + char buffer[512]; +- int index; ++ size_t index; + } SStream; + ++#define SSTREAM_OVERFLOW_CHECK(ss, n) \ ++ do { \ ++ if ((ss)->index + (n) >= sizeof((ss)->buffer)) { \ ++ return; \ ++ } \ ++ } while (0) ++ ++ + void SStream_Init(SStream *ss); + + void SStream_concat(SStream *ss, const char *fmt, ...); diff --git a/capstone.spec b/capstone.spec index 7ba4de2..f85b3eb 100644 --- a/capstone.spec +++ b/capstone.spec @@ -1,6 +1,6 @@ Name: capstone Version: 4.0.2 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A lightweight multi-platform, multi-architecture disassembly framework %global gituser aquynh @@ -27,6 +27,9 @@ Source0: https://github.com/%{gituser}/%{gitname}/archive/%{version}.tar. # See: https://github.com/aquynh/capstone/issues/1339 # Patch1: 0001-Fix-include-path-in-pkg-config-for-Makefile-too-1339.patch +# CVE-2025-68114: Check vsnprintf return value +Patch0: CVE-2025-68114-capstone-4.x.patch + %global common_desc %{expand: Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community.} @@ -232,6 +235,10 @@ make check LD_LIBRARY_PATH="`pwd`" %{_javadir}/ %changelog +* Thu Mar 12 2026 Jon Maloy - 4.0.2-11 +- Fix CVE-2025-68114 (memory corruption) and CVE-2025-67873 (heap buffer overflow) + Resolves: RHEL-137760 + * Fri Sep 02 2022 Miroslav Rezanina - 4.0.2-10 - Import to CentOS 9 Stream / RHEL 9