Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <[email protected]>
and subject line Close 1104026
has caused the Debian Bug report #1104026,
regarding bookworm-pu: package openrazer/3.5.1+dfsg-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104026
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], Dylan Aïssi <[email protected]>
* CVE-2025-32776: out-of-bounds read
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for openrazer-3.5.1+dfsg openrazer-3.5.1+dfsg
changelog | 7
+
patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch | 50
++++++++
patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch | 61
++++++++++
patches/series | 2
4 files changed, 120 insertions(+)
diff -Nru openrazer-3.5.1+dfsg/debian/changelog
openrazer-3.5.1+dfsg/debian/changelog
--- openrazer-3.5.1+dfsg/debian/changelog 2023-02-03 18:07:01.000000000
+0200
+++ openrazer-3.5.1+dfsg/debian/changelog 2025-04-23 22:45:05.000000000
+0300
@@ -1,3 +1,10 @@
+openrazer (3.5.1+dfsg-2+deb12u1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-32776: out-of-bounds read
+
+ -- Adrian Bunk <[email protected]> Wed, 23 Apr 2025 22:45:05 +0300
+
openrazer (3.5.1+dfsg-2) unstable; urgency=medium
[ Andreas Beckmann ]
diff -Nru
openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
---
openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
1970-01-01 02:00:00.000000000 +0200
+++
openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
2025-04-23 22:43:56.000000000 +0300
@@ -0,0 +1,50 @@
+From c56f45e37b75cdfbaee88df40168cee1834db191 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <[email protected]>
+Date: Thu, 10 Apr 2025 20:58:30 +0200
+Subject: driver: Stop copying any custom frame data when parameters are
+ invalid
+
+While the initial idea of this check was to sanitize any a row_length
+value which is too high. But in reality we should just essentially error
+out (which due to the function signature we can't do properly), and stop
+trying to memcpy any data.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razerchromacommon.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razerchromacommon.c b/driver/razerchromacommon.c
+index ef9891f9..1e7cdc11 100644
+--- a/driver/razerchromacommon.c
++++ b/driver/razerchromacommon.c
+@@ -480,7 +480,7 @@ struct razer_report
razer_chroma_standard_matrix_set_custom_frame(unsigned char
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ report = get_razer_report(0x03, 0x0B, 0x46); // In theory should be able
to leave data size at max as we have start/stop
+@@ -766,7 +766,7 @@ struct razer_report
razer_chroma_extended_matrix_set_custom_frame2(unsigned char
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ // Some devices need a specific packet length, most devices are happy
with 0x47
+@@ -1039,7 +1039,7 @@ struct razer_report
razer_chroma_misc_one_row_set_custom_frame(unsigned char sta
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ report.arguments[0] = start_col;
+--
+2.30.2
+
diff -Nru
openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
---
openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
1970-01-01 02:00:00.000000000 +0200
+++
openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
2025-04-23 22:43:56.000000000 +0300
@@ -0,0 +1,61 @@
+From 42f4b7c4eab618031b2c9bb19188c69f40900c52 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <[email protected]>
+Date: Thu, 10 Apr 2025 20:34:39 +0200
+Subject: driver: Fix possible integer overflow in write_matrix_custom_frame
+
+When a user passes start_col=0x00 and stop_col=0x55 with the data,
+row_length can easily wrap around leading to undesired behavior
+including out of bounds read while copying data into report.arguments.
+
+Avoid the overflow by making sure the underlying type has enough space
+for the value ((255 + 1) - 0) * 3 = 768.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razeraccessory_driver.c | 2 +-
+ driver/razerkbd_driver.c | 2 +-
+ driver/razermouse_driver.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razeraccessory_driver.c b/driver/razeraccessory_driver.c
+index 2bfb00e0..0928b0bb 100644
+--- a/driver/razeraccessory_driver.c
++++ b/driver/razeraccessory_driver.c
+@@ -830,7 +830,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct
device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razermyg: Total count: %d\n", (unsigned char)count);
+
+diff --git a/driver/razerkbd_driver.c b/driver/razerkbd_driver.c
+index 672f88a0..c647202c 100644
+--- a/driver/razerkbd_driver.c
++++ b/driver/razerkbd_driver.c
+@@ -2484,7 +2484,7 @@ static ssize_t
razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razerkbd: Total count: %d\n", (unsigned char)count);
+
+diff --git a/driver/razermouse_driver.c b/driver/razermouse_driver.c
+index 01c95f3f..e325920d 100644
+--- a/driver/razermouse_driver.c
++++ b/driver/razermouse_driver.c
+@@ -2230,7 +2230,7 @@ static ssize_t
razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razermouse: Total count: %d\n", (unsigned
char)count);
+
+--
+2.30.2
+
diff -Nru openrazer-3.5.1+dfsg/debian/patches/series
openrazer-3.5.1+dfsg/debian/patches/series
--- openrazer-3.5.1+dfsg/debian/patches/series 2023-02-03 18:07:01.000000000
+0200
+++ openrazer-3.5.1+dfsg/debian/patches/series 2025-04-23 22:45:04.000000000
+0300
@@ -1,2 +1,4 @@
6322c4ab9d12b5711eead41821fe19149e515afc.patch
skip-without-CONFIG_USB.patch
+0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
+0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
