From e5808cccfd4f759de19ad8ef61697e67adb2a0da Mon Sep 17 00:00:00 2001
From: lingsheng <860373352@qq.com>
Date: Thu, 27 Feb 2025 14:30:42 +0800
Subject: [PATCH] fix CVE-2025-26595

---
 backport-CVE-2025-26595.patch | 58 +++++++++++++++++++++++++++++++++++
 libxkbfile.spec               |  7 ++++-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-26595.patch

diff --git a/backport-CVE-2025-26595.patch b/backport-CVE-2025-26595.patch
new file mode 100644
index 0000000..ec3b024
--- /dev/null
+++ b/backport-CVE-2025-26595.patch
@@ -0,0 +1,58 @@
+From 65977c33a6735b0ffc7d2c691243452f75c1f68c Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText()
+
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+
+There's actually two issues in the code that can lead to a buffer
+overflow.
+
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+
+Change the logic to skip the copy entirely if the bound check fails.
+
+(cherry picked from xorg/xserver@11fcda8753e994e15eb915d28cf487660ec8e722)
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/xkbtext.c b/src/xkbtext.c
+index 4459ca7..59429b2 100644
+--- a/src/xkbtext.c
++++ b/src/xkbtext.c
+@@ -190,14 +190,14 @@ XkbVModMaskText(Display *       dpy,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
++                if ((str - buf) + len > BUFFER_SIZE)
++                    continue; /* Skip */
++                if (str != buf) {
++                    if (format == XkbCFile)
++                        *str++ = '|';
++                    else
++                        *str++ = '+';
++                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+GitLab
+
diff --git a/libxkbfile.spec b/libxkbfile.spec
index 0ca81db..5a40e8d 100644
--- a/libxkbfile.spec
+++ b/libxkbfile.spec
@@ -1,11 +1,13 @@
 Name:		libxkbfile
 Version:	1.1.0
-Release:	5
+Release:	6
 Summary:	X11 keyboard file manipulation library
 License:	MIT
 URL:		https://www.x.org
 Source0:	https://www.x.org/releases/individual/lib/%{name}-%{version}.tar.bz2
 
+Patch6000:      backport-CVE-2025-26595.patch
+
 BuildRequires:	gcc xorg-x11-proto-devel libX11-devel
 
 %description
@@ -49,6 +51,9 @@ make check
 %{_libdir}/%{name}.so
 
 %changelog
+* Thu Feb 27 2025 lingsheng <lingsheng1@h-partners.com> - 1.1.0-6
+- fix CVE-2025-26595
+
 * Wed Oct 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 1.1.0-5
 - Rebuild for next release
 
-- 
Gitee