mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2026-05-04 11:48:08 +02:00
8cb23fac62
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
key syms to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value for nGroups,
this will cause a buffer overflow because the key actions are of the wrong
size.
To avoid the issue, make sure to resize both the key syms and key actions
when nGroups is 0.
CVE-2025-26597, ZDI-CAN-25683
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| ddxBeep.c | ||
| ddxCtrls.c | ||
| ddxKillSrv.c | ||
| ddxLEDs.c | ||
| ddxLoad.c | ||
| ddxPrivate.c | ||
| ddxVT.c | ||
| Makefile.am | ||
| maprules.c | ||
| meson.build | ||
| README.compiled | ||
| xkb.c | ||
| xkb.h | ||
| xkbAccessX.c | ||
| xkbActions.c | ||
| XKBAlloc.c | ||
| xkbDflts.h | ||
| xkbEvents.c | ||
| xkbfmisc.c | ||
| XKBGAlloc.c | ||
| xkbgeom.h | ||
| xkbInit.c | ||
| xkbLEDs.c | ||
| XKBMAlloc.c | ||
| XKBMisc.c | ||
| xkbout.c | ||
| xkbPrKeyEv.c | ||
| xkbSwap.c | ||
| xkbtext.c | ||
| xkbUtils.c | ||
| XKM_file_format.txt | ||
| xkmread.c | ||
The X server uses this directory to store the compiled version of the
current keymap and/or any scratch keymaps used by clients. The X server
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time. The default keymap for any server is usually stored in:
X<num>-default.xkm
where <num> is the display number of the server in question, which makes
it possible for several servers *on the same host* to share the same
directory.
Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.