This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch 3.6.x in repository nx-libs. from 1ea1cd8 glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3) new 5fc2f57 Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" new e29bbd5 CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f new c0d0e37 Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" new 31322c2 CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d new 03a2922 Revert "dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]" new b6b5b14 dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] The 6 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: nx-X11/lib/font/fc/fserve.c | 17 +++++++++-------- nx-X11/programs/Xserver/os/access.c | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit 5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d Author: Mihai Moldovan <ionic@ionic.de> Date: Mon Feb 16 05:26:40 2015 +0100 Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7. --- nx-X11/lib/font/fc/fsconvert.c | 19 +++++-------------- nx-X11/lib/font/fc/fserve.c | 40 ++-------------------------------------- 2 files changed, 7 insertions(+), 52 deletions(-) diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index afa2c32..9a5e194 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -123,10 +123,6 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); - if ((local_off.name.position >= pi->data_len) || - (local_off.name.length > - (pi->data_len - local_off.name.position))) - goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -134,20 +130,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, dprop->value = local_off.value.position; } else { *is_str = TRUE; - if ((local_off.value.position >= pi->data_len) || - (local_off.value.length > - (pi->data_len - local_off.value.position))) - goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { - bail: - xfree (pfi->props); - pfi->nprops = 0; - pfi->props = 0; - pfi->isStringProp = 0; - return -1; + xfree (pfi->props); + pfi->nprops = 0; + pfi->props = 0; + pfi->isStringProp = 0; + return -1; } } off_adr += SIZEOF(fsPropOffset); diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 6ba3ad4..9e652d2 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -866,7 +866,6 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSFpePtr conn = (FSFpePtr) fpe->private; fsQueryXInfoReply *rep; char *buf; - long bufleft; /* length of reply left to use */ fsPropInfo *pi; fsPropOffset *po; pointer pd; @@ -897,10 +896,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) buf = (char *) rep; buf += SIZEOF(fsQueryXInfoReply); - - bufleft = rep->length << 2; - bufleft -= SIZEOF(fsQueryXInfoReply); - + /* move the data over */ fsUnpack_XFontInfoHeader(rep, pInfo); @@ -908,51 +904,19 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) _fs_init_fontinfo(conn, pInfo); /* Compute offsets into the reply */ - if (bufleft < SIZEOF(fsPropInfo)) - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", - bufleft); -#endif - goto bail; - } pi = (fsPropInfo *) buf; buf += SIZEOF (fsPropInfo); - bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - if (bufleft < pi->data_len) - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, - "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", - bufleft, pi->data_len); -#endif - goto bail; - } po = (fsPropOffset *) buf; buf += pi->num_offsets * SIZEOF(fsPropOffset); - bufleft -= pi->data_len; - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, - "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", - bufleft, pi->data_len); -#endif - goto bail; - } pd = (pointer) buf; buf += pi->data_len; - bufleft -= pi->data_len; /* convert the properties and step over the reply */ ret = _fs_convert_props(pi, po, pd, pInfo); - bail: _fs_done_read (conn, rep->length << 2); - + if (ret == -1) { fs_cleanup_bfont (bfont); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Author: Mike DePaulo <mikedep333@gmail.com> Date: Sun Feb 8 22:08:09 2015 -0500 CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan) --- nx-X11/lib/font/fc/fsconvert.c | 19 +++++++++++++----- nx-X11/lib/font/fc/fserve.c | 43 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index 9a5e194..afa2c32 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position >= pi->data_len) || + (local_off.name.length > + (pi->data_len - local_off.name.position))) + goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, dprop->value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.value.position >= pi->data_len) || + (local_off.value.length > + (pi->data_len - local_off.value.position))) + goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { - xfree (pfi->props); - pfi->nprops = 0; - pfi->props = 0; - pfi->isStringProp = 0; - return -1; + bail: + xfree (pfi->props); + pfi->nprops = 0; + pfi->props = 0; + pfi->isStringProp = 0; + return -1; } } off_adr += SIZEOF(fsPropOffset); diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 9e652d2..75cabdd 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSFpePtr conn = (FSFpePtr) fpe->private; fsQueryXInfoReply *rep; char *buf; + long bufleft = 0; /* length of reply left to use */ fsPropInfo *pi; fsPropOffset *po; pointer pd; @@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) buf = (char *) rep; buf += SIZEOF(fsQueryXInfoReply); - + + bufleft = rep->length << 2; + bufleft -= SIZEOF(fsQueryXInfoReply); + /* move the data over */ fsUnpack_XFontInfoHeader(rep, pInfo); @@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) _fs_init_fontinfo(conn, pInfo); /* Compute offsets into the reply */ + if (bufleft < SIZEOF(fsPropInfo)) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", + bufleft); +#endif + goto bail; + } pi = (fsPropInfo *) buf; buf += SIZEOF (fsPropInfo); - + bufleft -= SIZEOF (fsPropInfo); + + if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, + "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n", + bufleft / SIZEOF (fsPropOffset), pi->num_offsets); +#endif + goto bail; + } po = (fsPropOffset *) buf; buf += pi->num_offsets * SIZEOF(fsPropOffset); + bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); + if (bufleft < pi->data_len) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, + "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", + bufleft, pi->data_len); +#endif + goto bail; + } pd = (pointer) buf; buf += pi->data_len; + bufleft -= pi->data_len; /* convert the properties and step over the reply */ ret = _fs_convert_props(pi, po, pd, pInfo); + bail: _fs_done_read (conn, rep->length << 2); - + if (ret == -1) { fs_cleanup_bfont (bfont); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit c0d0e373d4c42c7813b1955fc18f5c9f63c725e0 Author: Mihai Moldovan <ionic@ionic.de> Date: Mon Feb 16 05:52:09 2015 +0100 Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519. --- nx-X11/lib/font/fc/fserve.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 75cabdd..0d792c7 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) int ret; fsConnSetup *setup; FSFpeAltPtr alts; - unsigned int i, alt_len; + int i, alt_len; int setup_len; char *alt_save, *alt_names; @@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) } if (setup->num_alternates) { - size_t alt_name_len = setup->alternate_len << 2; alts = (FSFpeAltPtr) xalloc (setup->num_alternates * - sizeof (FSFpeAltRec) + alt_name_len); + sizeof (FSFpeAltRec) + + (setup->alternate_len << 2)); if (alts) { alt_names = (char *) (setup + 1); @@ -3023,25 +3023,10 @@ _fs_recv_conn_setup (FSFpePtr conn) { alts[i].subset = alt_names[0]; alt_len = alt_names[1]; - if (alt_len >= alt_name_len) { - /* - * Length is longer than setup->alternate_len - * told us to allocate room for, assume entire - * alternate list is corrupted. - */ -#ifdef DEBUG - fprintf (stderr, - "invalid alt list (length %lx >= %lx)\n", - (long) alt_len, (long) alt_name_len); -#endif - free(alts); - return FSIO_ERROR; - } alts[i].name = alt_save; memcpy (alt_save, alt_names + 2, alt_len); alt_save[alt_len] = '\0'; alt_save += alt_len + 1; - alt_name_len -= alt_len + 1; alt_names += _fs_pad_length (alt_len + 2); } conn->numAlts = setup->num_alternates; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Author: Mike DePaulo <mikedep333@gmail.com> Date: Sun Feb 8 21:03:33 2015 -0500 CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) --- nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 0d792c7..86b5753 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) int ret; fsConnSetup *setup; FSFpeAltPtr alts; - int i, alt_len; + unsigned int i, alt_len; int setup_len; char *alt_save, *alt_names; @@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) } if (setup->num_alternates) { + size_t alt_name_len = setup->alternate_len << 2; alts = (FSFpeAltPtr) xalloc (setup->num_alternates * - sizeof (FSFpeAltRec) + - (setup->alternate_len << 2)); + sizeof (FSFpeAltRec) + alt_name_len); if (alts) { alt_names = (char *) (setup + 1); @@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn) { alts[i].subset = alt_names[0]; alt_len = alt_names[1]; + if (alt_len >= alt_name_len) { + /* + * Length is longer than setup->alternate_len + * told us to allocate room for, assume entire + * alternate list is corrupted. + */ +#ifdef DEBUG + fprintf (stderr, + "invalid alt list (length %lx >= %lx)\n", + (long) alt_len, (long) alt_name_len); +#endif + xfree(alts); + return FSIO_ERROR; + } alts[i].name = alt_save; memcpy (alt_save, alt_names + 2, alt_len); alt_save[alt_len] = '\0'; alt_save += alt_len + 1; + alt_name_len -= alt_len + 1; alt_names += _fs_pad_length (alt_len + 2); } conn->numAlts = setup->num_alternates; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit 03a2922d9cc17af26bd91d4a471061c54db50789 Author: Mihai Moldovan <ionic@ionic.de> Date: Mon Feb 16 05:55:23 2015 +0100 Revert "dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]" This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd. --- nx-X11/programs/Xserver/os/access.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c index 0e9d138..b6a70a7 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1719,10 +1719,6 @@ GetHosts ( { nHosts++; n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); - /* Could check for INT_MAX, but in reality having more than 1mb of - hostnames in the access list is ridiculous */ - if (n >= 1048576) - break; } if (n) { @@ -1734,8 +1730,6 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; - if ((ptr + sizeof(xHostEntry) + len) > (data + n)) - break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len; ptr += sizeof(xHostEntry); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit b6b5b14e4190048fadbfbcf063d873d318127e81 Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Mon Jan 6 23:30:14 2014 -0800 dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c --- nx-X11/programs/Xserver/os/access.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c index b6a70a7..532a2f8 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1719,6 +1719,10 @@ GetHosts ( { nHosts++; n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1024*1024) + break; } if (n) { @@ -1730,6 +1734,8 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > (data + n)) + break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len; ptr += sizeof(xHostEntry); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
-
git-admin@x2go.org