From 6a95783adfce82b17876542d540e4395b783e2da Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Wed, 27 May 2026 11:24:06 +0800 Subject: [PATCH] fix(capstone): CVE-2025-67873/68114 - heap buffer overflow and stack underflow Fix two vulnerabilities in capstone disassembly framework: CVE-2025-67873: heap buffer overflow in skipdata handling CVE-2025-68114: stack buffer underflow/overflow in SStream_concat Upstream: https://github.com/capstone-engine/capstone/commit/53f18b5 Upstream: https://github.com/capstone-engine/capstone/commit/782b475 Generated-By: glm-5.1 Co-Authored-By: hudeng --- debian/changelog | 7 +++++++ debian/patches/CVE-2025-67873.patch | 26 ++++++++++++++++++++++++++ debian/patches/CVE-2025-68114.patch | 24 ++++++++++++++++++++++++ debian/patches/series | 2 ++ 4 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2025-67873.patch create mode 100644 debian/patches/CVE-2025-68114.patch diff --git a/debian/changelog b/debian/changelog index 9dca151..7ee5333 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +capstone (5.0.3-1deepin1) unstable; urgency=medium + + * Fix CVE-2025-67873: heap buffer overflow in skipdata handling. + * Fix CVE-2025-68114: stack buffer underflow/overflow in SStream_concat. + + -- deepin-ci-robot Mon, 26 May 2026 22:57:00 +0800 + capstone (5.0.3-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2025-67873.patch b/debian/patches/CVE-2025-67873.patch new file mode 100644 index 0000000..fe21276 --- /dev/null +++ b/debian/patches/CVE-2025-67873.patch @@ -0,0 +1,26 @@ +Description: Fix heap buffer overflow in skipdata handling + In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, + so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy + more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow. + . + This patch adds MIN() check to ensure skipdata_bytes does not exceed + sizeof(insn_cache->bytes) / sizeof(insn->bytes). +Origin: upstream, https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3 +Bug: https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg +Forwarded: not-needed + +--- a/cs.c ++++ b/cs.c +@@ -979,8 +979,10 @@ size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size, + // we have to skip some amount of data, depending on arch & mode + insn_cache->id = 0; // invalid ID for this "data" instruction + insn_cache->address = offset; +- insn_cache->size = (uint16_t)skipdata_bytes; +- memcpy(insn_cache->bytes, buffer, skipdata_bytes); ++ insn_cache->size = (uint16_t)(skipdata_bytes < sizeof(insn_cache->bytes) ? skipdata_bytes : sizeof(insn_cache->bytes)); ++ memcpy(insn_cache->bytes, buffer, ++ skipdata_bytes < sizeof(insn_cache->bytes) ? skipdata_bytes : sizeof(insn_cache->bytes)); ++ + #ifdef CAPSTONE_DIET + insn_cache->mnemonic[0] = '\0'; + insn_cache->op_str[0] = '\0'; diff --git a/debian/patches/CVE-2025-68114.patch b/debian/patches/CVE-2025-68114.patch new file mode 100644 index 0000000..dcbbd45 --- /dev/null +++ b/debian/patches/CVE-2025-68114.patch @@ -0,0 +1,24 @@ +Description: Fix stack buffer underflow/overflow in SStream_concat + In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in + SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream's index + negative or past the end, leading to a stack buffer underflow/overflow. + . + This patch checks if vsnprintf return value is negative before adding to index. +Origin: upstream, https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e +Bug: https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r +Forwarded: not-needed + +--- a/SStream.c ++++ b/SStream.c +@@ -58,6 +58,11 @@ void SStream_concat(SStream *ss, const char *fmt, ...) + va_start(ap, fmt); + ret = cs_vsnprintf(ss->buffer + ss->index, sizeof(ss->buffer) - (ss->index + 1), fmt, ap); + va_end(ap); ++ ++ if (ret < 0) { ++ return; ++ } ++ + ss->index += ret; + #endif + } diff --git a/debian/patches/series b/debian/patches/series index 2231064..fb6f68e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ Remove-magic-for-loading-shared-libraries.patch Enforce-order-on-wildcard-operations-for-reproducible-bui.patch +CVE-2025-67873.patch +CVE-2025-68114.patch