[oe] [meta-oe][scarthgap][RFC PATCH 11/14] tigervnc: patch CVE-2025-26598

Tue, 27 Jan 2026 05:01:46 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26598

Pick the patch that explicitly mentions the CVE ID in its commit message.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../tigervnc/files/CVE-2025-26598.patch       | 122 ++++++++++++++++++
 .../tigervnc/tigervnc_1.11.0.bb               |   1 +
 2 files changed, 123 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch

diff --git a/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch 
b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch
new file mode 100644
index 0000000000..8ce3606fa5
--- /dev/null
+++ b/meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch
@@ -0,0 +1,122 @@
+From ad498de18aab5d1095b2005a9555c003860b92bd Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Mon, 16 Dec 2024 11:25:11 +0100
+Subject: [PATCH] Xi: Fix barrier device search
+
+From: Olivier Fourdan <[email protected]>
+
+The function GetBarrierDevice() would search for the pointer device
+based on its device id and return the matching value, or supposedly NULL
+if no match was found.
+
+Unfortunately, as written, it would return the last element of the list
+if no matching device id was found which can lead to out of bounds
+memory access.
+
+Fix the search function to return NULL if not matching device is found,
+and adjust the callers to handle the case where the device cannot be
+found.
+
+CVE-2025-26598, ZDI-CAN-25740
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <[email protected]>
+Reviewed-by: Peter Hutterer <[email protected]>
+(cherry picked from commit bba9df1a9d57234c76c0b93f88dacb143d01bca2)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830>
+(cherry picked from commit 32decb1efb89341881de8266f3dd1c3356981bfd)
+
+CVE: CVE-2025-26598
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/32decb1efb89341881de8266f3dd1c3356981bfd]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ Xi/xibarriers.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index 1926762ad..cb336f22b 100644
+--- a/Xi/xibarriers.c
++++ b/Xi/xibarriers.c
+@@ -129,14 +129,15 @@ static void FreePointerBarrierClient(struct 
PointerBarrierClient *c)
+ 
+ static struct PointerBarrierDevice *GetBarrierDevice(struct 
PointerBarrierClient *c, int deviceid)
+ {
+-    struct PointerBarrierDevice *pbd = NULL;
++    struct PointerBarrierDevice *p, *pbd = NULL;
+ 
+-    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
+-        if (pbd->deviceid == deviceid)
++    xorg_list_for_each_entry(p, &c->per_device, entry) {
++        if (p->deviceid == deviceid) {
++            pbd = p;
+             break;
++        }
+     }
+ 
+-    BUG_WARN(!pbd);
+     return pbd;
+ }
+ 
+@@ -337,6 +338,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
+         double distance;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (pbd->seen)
+             continue;
+ 
+@@ -445,6 +449,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         nearest = &c->barrier;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         new_sequence = !pbd->hit;
+ 
+         pbd->seen = TRUE;
+@@ -485,6 +492,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         int flags = 0;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         pbd->seen = FALSE;
+         if (!pbd->hit)
+             continue;
+@@ -679,6 +689,9 @@ BarrierFreeBarrier(void *data, XID id)
+             continue;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (!pbd->hit)
+             continue;
+ 
+@@ -738,6 +751,8 @@ static void remove_master_func(void *res, XID id, void 
*devid)
+     barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+     pbd = GetBarrierDevice(barrier, *deviceid);
++    if (!pbd)
++        return;
+ 
+     if (pbd->hit) {
+         BarrierEvent ev = {
+@@ -903,6 +918,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+         barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+         pbd = GetBarrierDevice(barrier, dev->id);
++        if (!pbd) {
++            client->errorValue = dev->id;
++            return BadDevice;
++        }
+ 
+         if (pbd->barrier_event_id == event_id)
+             pbd->release_event_id = event_id;
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb 
b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
index caa44ea0d6..5fbccd970d 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb
@@ -30,6 +30,7 @@ SRC_URI = 
"git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch;protocol=ht
            file://CVE-2025-26595.patch;patchdir=${XORG_S} \
            file://CVE-2025-26596.patch;patchdir=${XORG_S} \
            file://CVE-2025-26597.patch;patchdir=${XORG_S} \
+           file://CVE-2025-26598.patch;patchdir=${XORG_S} \
 "
 
 # Keep sync with xorg-server in oe-core

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123951): 
https://lists.openembedded.org/g/openembedded-devel/message/123951
Mute This Topic: https://lists.openembedded.org/mt/117487439/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to