xwayland: Fix CVE-2026-33999

Pick patch according to [2]

[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-33999

(From OE-Core rev: 7060d5970c1c80631ac0c5857fe6b76176f535c9)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Vijay Anusuri
2026-06-19 19:37:46 +05:30
committed by Paul Barker
parent e2d512c2e7
commit b96bba2f35
2 changed files with 50 additions and 0 deletions

View File

@@ -0,0 +1,49 @@
From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001
From: Peter Harris <pharris2@rocketsoftware.com>
Date: Thu, 15 Jan 2026 15:54:09 -0500
Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap
If the "compat" buffer has previously been truncated, there will be
unused space in the buffer. The code uses this space, but does not
update the number of valid entries in the buffer.
In the best case, this leads to the new compat entries being ignored. In the
worst case, if there are any "skipped" compat entries, the number of
valid entries will be corrupted, potentially leading to a buffer read
overrun when processing a future request.
Set the number of used "compat" entries when re-using previously
allocated space in the buffer.
CVE-2026-33999, ZDI-CAN-28593
This vulnerability was discovered by:
Jan-Niklas Sohn working with TrendAI Zero Day Initiative
Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b]
CVE: CVE-2026-33999
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
xkb/xkb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 137d70d..2b9004a 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
return BadAlloc;
}
}
- else if (req->truncateSI) {
+ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
compat->num_si = req->firstSI + req->nSI;
}
sym = &compat->sym_interpret[req->firstSI];
--
2.43.0

View File

@@ -35,6 +35,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-62230-0001.patch \
file://CVE-2025-62230-0002.patch \
file://CVE-2025-62231.patch \
file://CVE-2026-33999.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"