Skip to content

[staging-next-25.11] alsa-lib: fix patch for CVE-2026-25068 for v1.2.14 #493885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mdaniels5757 merged 1 commit into from
Feb 25, 2026
Merged

[staging-next-25.11] alsa-lib: fix patch for CVE-2026-25068 for v1.2.14 #493885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Thu, 29 Jan 2026 16:51:09 +0100
Subject: [PATCH] topology: decoder - add boundary check for channel mixer
count

Malicious binary topology file may cause heap corruption.

CVE: CVE-2026-25068

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
---
src/topology/ctl.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/src/topology/ctl.c b/src/topology/ctl.c
index a0c24518..322c461c 100644
--- a/src/topology/ctl.c
+++ b/src/topology/ctl.c
@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
if (mc->num_channels > 0) {
map = tplg_calloc(heap, sizeof(*map));
map->num_channels = mc->num_channels;
+ if (map->num_channels > SND_TPLG_MAX_CHAN ||
+ map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
+ SNDERR("mixer: unexpected channel count %d", map->num_channels);
+ return -EINVAL;
+ }
for (i = 0; i < map->num_channels; i++) {
map->channel[i].reg = mc->channel[i].reg;
map->channel[i].shift = mc->channel[i].shift;
16 changes: 10 additions & 6 deletions pkgs/by-name/al/alsa-lib/package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
lib,
stdenv,
fetchurl,
fetchpatch,
alsa-topology-conf,
alsa-ucm-conf,
testers,
Expand All @@ -24,11 +23,16 @@ stdenv.mkDerivation (finalAttrs: {
# "libs" field to declare locations for both native and 32bit plugins, in
# order to support apps with 32bit sound running on x86_64 architecture.
./alsa-plugin-conf-multilib.patch
(fetchpatch {
name = "CVE-2026-25068.patch";
url = "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch";
hash = "sha256-4memtcg+FDOctX6wgiCdmnlG+IUS+5rL1f3LcsWS5lw=";
})

# Patch for CVE-2026-25058. Relies on a function `snd_error` which does not
# exist in alsa-lib 1.2.14, so we vendor the change to use the old `SNDERR`
# macro instead.
#
# Upstream fix:
# https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40
# Introduction of `snd_error`:
# https://github.com/alsa-project/alsa-lib/commit/62c8e635dcce3d750985505ad20f8711d6dabf0d
./CVE-2026-25068.patch
];

enableParallelBuilding = true;
Expand Down
Loading