820d90bbc5
Resolves: https://issues.redhat.com/browse/RHEL-80201 Resolves: https://issues.redhat.com/browse/RHEL-80186 Resolves: https://issues.redhat.com/browse/RHEL-80188 Resolves: https://issues.redhat.com/browse/RHEL-80191 Resolves: https://issues.redhat.com/browse/RHEL-80192 Resolves: https://issues.redhat.com/browse/RHEL-80199 Resolves: https://issues.redhat.com/browse/RHEL-80198 Resolves: https://issues.redhat.com/browse/RHEL-80200
46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
From 33dfc78a0f67f4db5558c2374f5a73d262e43671 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Thu, 28 Nov 2024 14:09:04 +0100
|
|
Subject: [PATCH xserver 05/13] xkb: Fix buffer overflow in
|
|
XkbChangeTypesOfKey()
|
|
|
|
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
|
|
key syms to 0 but leave the key actions unchanged.
|
|
|
|
If later, the same function is called with a non-zero value for nGroups,
|
|
this will cause a buffer overflow because the key actions are of the wrong
|
|
size.
|
|
|
|
To avoid the issue, make sure to resize both the key syms and key actions
|
|
when nGroups is 0.
|
|
|
|
CVE-2025-26597, ZDI-CAN-25683
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
(cherry picked from commit 0e4ed94952b255c04fe910f6a1d9c852878dcd64)
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1831>
|
|
---
|
|
xkb/XKBMisc.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
|
|
index f17194528..c45471686 100644
|
|
--- a/xkb/XKBMisc.c
|
|
+++ b/xkb/XKBMisc.c
|
|
@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
|
|
i = XkbSetNumGroups(i, 0);
|
|
xkb->map->key_sym_map[key].group_info = i;
|
|
XkbResizeKeySyms(xkb, key, 0);
|
|
+ XkbResizeKeyActions(xkb, key, 0);
|
|
return Success;
|
|
}
|
|
|
|
--
|
|
2.48.1
|
|
|