[X2Go-Dev] Bug#879: Bug#879: CVE backports incomplete or wrong

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Thu May 21 10:02:10 CEST 2015 

Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29

On Thu, May 21, 2015 at 08:43:37AM +0200, Ulrich Sibiller wrote:
> Package: nx-libs
> 
> Recently a lot of CVE fixes have been added to nx-libs.
> 
> E.g.
> debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
> and
> debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
> add missing checks to nx-X11/programs/Xserver/render/render.c.
> 
> However, there's a file called
> nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
> render.c and in that file those checks are missing, too.
> 
> (I suspect the original render/render.c is not used at all in favour
> of hw/nxagent/NXrender.c but I am not 100% sure here.)
> 
> If render.c is used a all (I am not sure) the patches should be
> extended to also fix NXrender.c.
> If render.c is not used it should be removed and the patches should be
> applied to NXrender.c instead.
> 
> There might be more cases like this, I only picked this one as an example.

Forwarded to nx-libs bug tracker [1] for nx-libs 3.6.x on Github.

@Mike#2: I assigned you to this task on Github. If you are not available
for this, please assign me again.

What Ulrich and I realized (in private comm) lately is that there are some files in hw/nxagent/ that are actually Xlib (extension) copies-of-code.

Thus, we need to double-maintain those code sections (I know, it is a mess and needs to be cleared up finally).

  o step A: build against libX* from X.Org
  o step B: be aware for code passages being libX* code, but copied to
    hw/nxagent/ and maintain those passages in hw/nxagent/ for now

Greets,
Mike

[1] https://github.com/ArcticaProject/nx-libs/issues/29

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150521/bdbbf38f/attachment-0001.pgp>

More information about the x2go-dev mailing list