This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch 3.5.0.x in repository nx-libs. from 86937b8 nxcomp/README.on-retroactive-DXPC-license: Some layout and interpunctuation fixes. new 586ca14 Security fixes: X.Org CVE-2013-4396: new 6955aae Security fixes: X.Org CVE-2014-8092: The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 12 +++++ ...fter-free-in-dix-dixfonts.c-doImageT.full.patch | 51 ++++++++++++++++++-- ...-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 21 ++++++-- 3 files changed, 74 insertions(+), 10 deletions(-) -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.5.0.x in repository nx-libs. commit 586ca14a045fbecc263752ce790ba9a104be8344 Author: Mihai Moldovan <ionic@ionic.de> Date: Tue Jun 2 17:59:28 2015 +0200 Security fixes: X.Org CVE-2013-4396: v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch --- debian/changelog | 6 +++ ...fter-free-in-dix-dixfonts.c-doImageT.full.patch | 51 ++++++++++++++++++-- 2 files changed, 52 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index cb4fb7f..d027112 100644 --- a/debian/changelog +++ b/debian/changelog @@ -163,6 +163,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low Backported from Arctica GH 3.6.x branch. Affects: - 9900-dxpc-license-history.full+lite.patch + * Security fixes: + - X.Org CVE-2013-4396: + v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) + v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch index 8cb1d0d..4dbda6a 100644 --- a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch +++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch @@ -21,12 +21,14 @@ X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. + +v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) +v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) + --- nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c -index 193f555..42fd647 100644 --- a/nx-X11/programs/Xserver/dix/dixfonts.c +++ b/nx-X11/programs/Xserver/dix/dixfonts.c @@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) @@ -69,6 +71,45 @@ index 193f555..42fd647 100644 err = BadAlloc; goto bail; } --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +@@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.5.0.x in repository nx-libs. commit 6955aae910622fa63eb236ea9dc26c382a41172f Author: Mihai Moldovan <ionic@ionic.de> Date: Tue Jun 2 18:11:24 2015 +0200 Security fixes: X.Org CVE-2014-8092: v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch --- debian/changelog | 6 ++++++ ...-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 21 +++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index d027112..4d03fc4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -169,6 +169,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch + * Security fixes: + - X.Org CVE-2014-8092: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch index 05d4919..6e12127 100644 --- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch +++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch @@ -12,6 +12,9 @@ pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) +v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> @@ -22,8 +25,6 @@ Conflicts: nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c -index 6941456..5ad2f5a 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) @@ -37,6 +38,16 @@ index 6941456..5ad2f5a 100644 if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + + (sizeof(xPutImageReq) >> 2)) != client->req_len) + return BadLength; -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
-
git-admin@x2go.org