This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Author: Mike DePaulo <mikedep333@gmail.com> Date: Sun Feb 8 19:15:20 2015 -0500 LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0 Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited --- nx-X11/lib/font/fontfile/decompress.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c index a4c5468..553b315 100644 --- a/nx-X11/lib/font/fontfile/decompress.c +++ b/nx-X11/lib/font/fontfile/decompress.c @@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f) */ while ( code >= 256 ) { + if (stackp - de_stack >= STACK_SIZE - 1) + return BUFFILEEOF; *stackp++ = file->tab_suffix[code]; code = file->tab_prefix[code]; } -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git