[X2Go-Commits] [nx-libs] 02/02: Security fixes: X.Org CVE-2014-8092:
git-admin at x2go.org
git-admin at x2go.org
Tue Jun 2 18:15:47 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.5.0.x
in repository nx-libs.
commit 6955aae910622fa63eb236ea9dc26c382a41172f
Author: Mihai Moldovan <ionic at ionic.de>
Date: Tue Jun 2 18:11:24 2015 +0200
Security fixes: X.Org CVE-2014-8092:
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
Changes:
- 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
---
debian/changelog | 6 ++++++
...-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 21 +++++++++++++++-----
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index d027112..4d03fc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -169,6 +169,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
Changes:
+ 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
+ * Security fixes:
+ - X.Org CVE-2014-8092:
+ v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+ v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+ Changes:
+ + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
[ Bernard Cafarelli ]
* nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'.
diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
index 05d4919..6e12127 100644
--- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
+++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
@@ -12,6 +12,9 @@ pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
+v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
@@ -22,8 +25,6 @@ Conflicts:
nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
-index 6941456..5ad2f5a 100644
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
@@ -37,6 +38,16 @@ index 6941456..5ad2f5a 100644
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;
---
-2.1.4
-
+--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client)
+
+ tmpImage = (char *)&stuff[1];
+ lengthProto = length;
+-
++ if (lengthProto >= (INT32_MAX / stuff->height))
++ return BadLength;
++
+ if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
+ (sizeof(xPutImageReq) >> 2)) != client->req_len)
+ return BadLength;
--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list