Version in base suite: 3.5.1+dfsg-2

Base version: openrazer_3.5.1+dfsg-2
Target version: openrazer_3.5.1+dfsg-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openrazer/openrazer_3.5.1+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openrazer/openrazer_3.5.1+dfsg-2+deb12u1.dsc

 changelog                                                               |    7 +
 patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch |   50 ++++++++
 patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch |   61 ++++++++++
 patches/series                                                          |    2 
 4 files changed, 120 insertions(+)

diff -Nru openrazer-3.5.1+dfsg/debian/changelog openrazer-3.5.1+dfsg/debian/changelog
--- openrazer-3.5.1+dfsg/debian/changelog	2023-02-03 16:07:01.000000000 +0000
+++ openrazer-3.5.1+dfsg/debian/changelog	2025-04-23 19:45:05.000000000 +0000
@@ -1,3 +1,10 @@
+openrazer (3.5.1+dfsg-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-32776: out-of-bounds read
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 23 Apr 2025 22:45:05 +0300
+
 openrazer (3.5.1+dfsg-2) unstable; urgency=medium
 
   [ Andreas Beckmann ]
diff -Nru openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
--- openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch	2025-04-23 19:43:56.000000000 +0000
@@ -0,0 +1,50 @@
+From c56f45e37b75cdfbaee88df40168cee1834db191 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca@lucaweiss.eu>
+Date: Thu, 10 Apr 2025 20:58:30 +0200
+Subject: driver: Stop copying any custom frame data when parameters are
+ invalid
+
+While the initial idea of this check was to sanitize any a row_length
+value which is too high. But in reality we should just essentially error
+out (which due to the function signature we can't do properly), and stop
+trying to memcpy any data.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razerchromacommon.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razerchromacommon.c b/driver/razerchromacommon.c
+index ef9891f9..1e7cdc11 100644
+--- a/driver/razerchromacommon.c
++++ b/driver/razerchromacommon.c
+@@ -480,7 +480,7 @@ struct razer_report razer_chroma_standard_matrix_set_custom_frame(unsigned char
+ 
+     if (row_length > sizeof(report.arguments) - start_arg_offset) {
+         printk(KERN_ALERT "razerchroma: RGB data too long\n");
+-        row_length = sizeof(report.arguments) - start_arg_offset;
++        row_length = 0;
+     }
+ 
+     report = get_razer_report(0x03, 0x0B, 0x46); // In theory should be able to leave data size at max as we have start/stop
+@@ -766,7 +766,7 @@ struct razer_report razer_chroma_extended_matrix_set_custom_frame2(unsigned char
+ 
+     if (row_length > sizeof(report.arguments) - start_arg_offset) {
+         printk(KERN_ALERT "razerchroma: RGB data too long\n");
+-        row_length = sizeof(report.arguments) - start_arg_offset;
++        row_length = 0;
+     }
+ 
+     // Some devices need a specific packet length, most devices are happy with 0x47
+@@ -1039,7 +1039,7 @@ struct razer_report razer_chroma_misc_one_row_set_custom_frame(unsigned char sta
+ 
+     if (row_length > sizeof(report.arguments) - start_arg_offset) {
+         printk(KERN_ALERT "razerchroma: RGB data too long\n");
+-        row_length = sizeof(report.arguments) - start_arg_offset;
++        row_length = 0;
+     }
+ 
+     report.arguments[0] = start_col;
+-- 
+2.30.2
+
diff -Nru openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
--- openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch	2025-04-23 19:43:56.000000000 +0000
@@ -0,0 +1,61 @@
+From 42f4b7c4eab618031b2c9bb19188c69f40900c52 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca@lucaweiss.eu>
+Date: Thu, 10 Apr 2025 20:34:39 +0200
+Subject: driver: Fix possible integer overflow in write_matrix_custom_frame
+
+When a user passes start_col=0x00 and stop_col=0x55 with the data,
+row_length can easily wrap around leading to undesired behavior
+including out of bounds read while copying data into report.arguments.
+
+Avoid the overflow by making sure the underlying type has enough space
+for the value ((255 + 1) - 0) * 3 = 768.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razeraccessory_driver.c | 2 +-
+ driver/razerkbd_driver.c       | 2 +-
+ driver/razermouse_driver.c     | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razeraccessory_driver.c b/driver/razeraccessory_driver.c
+index 2bfb00e0..0928b0bb 100644
+--- a/driver/razeraccessory_driver.c
++++ b/driver/razeraccessory_driver.c
+@@ -830,7 +830,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+     unsigned char row_id;
+     unsigned char start_col;
+     unsigned char stop_col;
+-    unsigned char row_length;
++    size_t row_length;
+ 
+     //printk(KERN_ALERT "razermyg: Total count: %d\n", (unsigned char)count);
+ 
+diff --git a/driver/razerkbd_driver.c b/driver/razerkbd_driver.c
+index 672f88a0..c647202c 100644
+--- a/driver/razerkbd_driver.c
++++ b/driver/razerkbd_driver.c
+@@ -2484,7 +2484,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+     unsigned char row_id;
+     unsigned char start_col;
+     unsigned char stop_col;
+-    unsigned char row_length;
++    size_t row_length;
+ 
+     //printk(KERN_ALERT "razerkbd: Total count: %d\n", (unsigned char)count);
+ 
+diff --git a/driver/razermouse_driver.c b/driver/razermouse_driver.c
+index 01c95f3f..e325920d 100644
+--- a/driver/razermouse_driver.c
++++ b/driver/razermouse_driver.c
+@@ -2230,7 +2230,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+     unsigned char row_id;
+     unsigned char start_col;
+     unsigned char stop_col;
+-    unsigned char row_length;
++    size_t row_length;
+ 
+     //printk(KERN_ALERT "razermouse: Total count: %d\n", (unsigned char)count);
+ 
+-- 
+2.30.2
+
diff -Nru openrazer-3.5.1+dfsg/debian/patches/series openrazer-3.5.1+dfsg/debian/patches/series
--- openrazer-3.5.1+dfsg/debian/patches/series	2023-02-03 16:07:01.000000000 +0000
+++ openrazer-3.5.1+dfsg/debian/patches/series	2025-04-23 19:45:04.000000000 +0000
@@ -1,2 +1,4 @@
 6322c4ab9d12b5711eead41821fe19149e515afc.patch
 skip-without-CONFIG_USB.patch
+0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
+0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch