[X2Go-Dev] [X2Go-Commits] [nx-libs] 28/52: CVE-2014-0210: unvalidated length fields in fs_read_list() from xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue Feb 17 06:05:14 CET 2015 

Hi Uli,

On  Mo 16 Feb 2015 21:29:56 CET, Ulrich Sibiller wrote:

> On Mon, Feb 16, 2015 at 8:23 PM, Mihai Moldovan <ionic at ionic.de> wrote:
>
>>> The code might offer a lot of possibilities for improvement. However,
>>> as all this is derived from the original X11 code I would prefer
>>> leaving it as is (and fix it upstream). This will make it a lot easier
>>> to backport later patches and it will also make the nx transition to
>>> current X11 much easier.  Maybe add FIXME: comments to not forget
>>> those ideas.
>>
>> You're right. That's why I have only changed initialization where
>> conflicts are easily merged and the 1 MB thing.
>>
>> Everything else was left in place. I'm just bringing it up so that
>> people don't follow (bad) examples.
>
> This brings up the question: Should we try to backport any bugfixes?
> Or should we skip that completely and concentrate on rebasing nx to
> current X11 (Mike is working on that).
> Or should we do both in parallel?

This heavily depends, I feel.

For CVEs, I am so happy about Mike#2's work on the CVE audit.

For other issues, I think we should fix bugs that hit us heavily while  
at the same time working on replacing this and that portion of code in  
nx-libs (or making nxagent dynamically link against X.Org's libX*  
libraries).

I have now started with an imake-cleanup branch at [1]. I still feel  
that we should work on kicking out everything non-used before starting  
with the rebase work. I really don't want to work on rebasing stuff  
that will get caught by rm -Rf two days later.

However, there are also some obvious parts that are definitely used,  
so here we could work on in parallel.

Some ideas:

   o update xrandr to match protocol version 1.4
   o replace linking against libNX_Xdmcp by linking against libXdmcp
   o maybe replacing linkage for other libNX_X* libraries (e.g. libXext?
     Xcomposite? Xdamage? Xtst?):

Here is an overview of Xlibs that got patched by NoMachine and/or X2Go  
regarding their functionality:

          font
          GL
          SM
          libNX_X11
          libNX_Xau
          libNX_Xinerama (changed by X2Go)
          libNX_Xrandr
          libNX_Xpm (only Imakefile)
          libNX_Xrender
          libNX_Xt (linked statically)
          xtrans (linked statically)

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150217/838e0528/attachment.pgp>

More information about the x2go-dev mailing list