[X2Go-Dev] [X2Go-Commits] [nx-libs] 28/52: CVE-2014-0210: unvalidated length fields in fs_read_list() from xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Tue Feb 17 06:05:14 CET 2015
Hi Uli,
On Mo 16 Feb 2015 21:29:56 CET, Ulrich Sibiller wrote:
> On Mon, Feb 16, 2015 at 8:23 PM, Mihai Moldovan <ionic at ionic.de> wrote:
>
>>> The code might offer a lot of possibilities for improvement. However,
>>> as all this is derived from the original X11 code I would prefer
>>> leaving it as is (and fix it upstream). This will make it a lot easier
>>> to backport later patches and it will also make the nx transition to
>>> current X11 much easier. Maybe add FIXME: comments to not forget
>>> those ideas.
>>
>> You're right. That's why I have only changed initialization where
>> conflicts are easily merged and the 1 MB thing.
>>
>> Everything else was left in place. I'm just bringing it up so that
>> people don't follow (bad) examples.
>
> This brings up the question: Should we try to backport any bugfixes?
> Or should we skip that completely and concentrate on rebasing nx to
> current X11 (Mike is working on that).
> Or should we do both in parallel?
This heavily depends, I feel.
For CVEs, I am so happy about Mike#2's work on the CVE audit.
For other issues, I think we should fix bugs that hit us heavily while
at the same time working on replacing this and that portion of code in
nx-libs (or making nxagent dynamically link against X.Org's libX*
libraries).
I have now started with an imake-cleanup branch at [1]. I still feel
that we should work on kicking out everything non-used before starting
with the rebase work. I really don't want to work on rebasing stuff
that will get caught by rm -Rf two days later.
However, there are also some obvious parts that are definitely used,
so here we could work on in parallel.
Some ideas:
o update xrandr to match protocol version 1.4
o replace linking against libNX_Xdmcp by linking against libXdmcp
o maybe replacing linkage for other libNX_X* libraries (e.g. libXext?
Xcomposite? Xdamage? Xtst?):
Here is an overview of Xlibs that got patched by NoMachine and/or X2Go
regarding their functionality:
font
GL
SM
libNX_X11
libNX_Xau
libNX_Xinerama (changed by X2Go)
libNX_Xrandr
libNX_Xpm (only Imakefile)
libNX_Xrender
libNX_Xt (linked statically)
xtrans (linked statically)
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150217/838e0528/attachment.pgp>
More information about the x2go-dev
mailing list