diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch new file mode 100644 index 0000000000..8095c3d82c --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch @@ -0,0 +1,50 @@ +From 3baad99f9c15028ed8c3e3d8408e5ec35db155aa Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 16:30:29 +0200 +Subject: [PATCH] xkb: Prevent overflow in XkbSetCompatMap() + +The XkbCompatMap structure stores its "num_si" and "size_si" fields +using an unsigned short. + +However, the function _XkbSetCompatMap() will store the sum of the +input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and +"size_si" without first checking if the sum overflows the maximum +unsigned short value, leading to a possible overflow. + +To avoid the issue, check whether the sum does not exceed the maximum +unsigned short value, or return a "BadValue" error otherwise. + +CVE-2025-62231, ZDI-CAN-27560 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470) + +Part-of: + +CVE: CVE-2025-62231 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa] + +Signed-off-by: Yogita Urade +--- + xkb/xkb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index b7877f5..4e585d1 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + ++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) ++ return BadValue; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 9bc67f7761..362b110a0b 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -34,6 +34,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62229.patch \ file://CVE-2025-62230-0001.patch \ file://CVE-2025-62230-0002.patch \ + file://CVE-2025-62231.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"