It seems there is potential bug in setxkbmap. Look at applyRules function: if (svSrc[RULES_NDX]) rfName = svValue[RULES_NDX]; else rfName = DFLT_XKB_RULES_FILE; ##### rfName is either specified name of rules file, or default name. ##### It seems further rfName should be used as name of rules file. if (rfName[0] == '/') { rules = XkbRF_Load(rfName, svValue[LOCALE_NDX], True, True); ##### That's ok. } else { /* try to load rules files from all include paths until the first * we succeed with */ for (i = 0; (i < numInclPath) && (!rules); i++) { if ((strlen(inclPath[i]) + strlen(rfName) + 8) > PATH_MAX) ##### rfName is used for calculating length of path. { VMSG2(0, "Path too long (%s/rules/%s). Ignored.\n", inclPath[i], rfName); ##### rfName is used in warning message. continue; } sprintf(buf, "%s/rules/%s", inclPath[i], svValue[RULES_NDX]); ##### Oops! svValue[RULES_NDX] is used. I guess it should be rfName instead. rules = XkbRF_Load(buf, svValue[LOCALE_NDX], True, True); } } if (!rules) { ERR1("Couldn't find rules file (%s) \n", svValue[RULES_NDX]); #### Oops again. It seems rfName should be used there, not svValue[RULES_DNX]. return False; } If you agree it should be fixed, I can prepare a patch.
As it turns out, I submitted a patch last night that would prevent buffer overflow using snprintf instead of trying to calculate the length by hand, but I failed to notice it was using different strings: http://lists.x.org/archives/xorg-devel/2011-February/019121.html Good catch! (I haven't had a chance to analyze to see which string is correct to use yet.)
Confirmed analysis, and had fix reviewed on xorg-devel - it's now pushed to git master: http://cgit.freedesktop.org/xorg/app/setxkbmap/commit/?id=fce78beab4b5f7ee99bf66d35c36b7ed12871d5a
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.