This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch 3.5.0.x in repository nx-libs. from 6955aae Security fixes: X.Org CVE-2014-8092: new 36778c5 Security fixes: X.Org CVE-2015-3418: new dd9d54a Security fixes: X.Org CVE-2014-8099: The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 12 ++ ...ted-lengths-in-XVideo-extension-swap.full.patch | 169 +++++++++++++++++++- ...18-dix-Allow-zero-height-PutImage-re.full.patch | 16 +- 3 files changed, 190 insertions(+), 7 deletions(-) -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.5.0.x in repository nx-libs. commit 36778c5b9ec4b330f16d63307a375bf7407397fd Author: Mihai Moldovan <ionic@ionic.de> Date: Tue Jun 2 18:27:15 2015 +0200 Security fixes: X.Org CVE-2015-3418: v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch --- debian/changelog | 6 ++++++ ...18-dix-Allow-zero-height-PutImage-re.full.patch | 16 ++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 4d03fc4..3201670 100644 --- a/debian/changelog +++ b/debian/changelog @@ -175,6 +175,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch + * Security fixes: + - X.Org CVE-2015-3418: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch index 7b6f28c..de99bb6 100644 --- a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch +++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch @@ -12,10 +12,11 @@ Date: Fri May 1 13:09:24 2015 +0200 Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Signed-off-by: Keith Packard <keithp@keithp.com> -diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c -index 5ad2f5a..ab10640 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client) @@ -27,3 +28,14 @@ index 5ad2f5a..ab10640 100644 return BadLength; if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +@@ -2618,7 +2618,7 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.5.0.x in repository nx-libs. commit dd9d54ad1e29fd3e9a304a9538c5204a839ab211 Author: Mihai Moldovan <ionic@ionic.de> Date: Tue Jun 2 18:38:59 2015 +0200 Security fixes: X.Org CVE-2014-8099: v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch --- debian/changelog | 6 + ...ted-lengths-in-XVideo-extension-swap.full.patch | 169 +++++++++++++++++++- 2 files changed, 170 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3201670..db70137 100644 --- a/debian/changelog +++ b/debian/changelog @@ -181,6 +181,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch + * Security fixes: + - X.Org CVE-2014-8099: + v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch index 1d458a7..73e0ac6 100644 --- a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch +++ b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch @@ -5,6 +5,8 @@ Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099] v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) +v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> @@ -15,8 +17,6 @@ Conflicts: nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) -diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c -index 21ab0b6..b361c0f 100644 --- a/nx-X11/programs/Xserver/Xext/xvdisp.c +++ b/nx-X11/programs/Xserver/Xext/xvdisp.c @@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client) @@ -179,6 +179,165 @@ index 21ab0b6..b361c0f 100644 swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c +@@ -1423,6 +1423,7 @@ SProcXvQueryExtension(ClientPtr client) + { + register char n; + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length, n); + return ProcXvQueryExtension(client); + } +@@ -1432,6 +1433,7 @@ SProcXvQueryAdaptors(ClientPtr client) + { + register char n; + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + return ProcXvQueryAdaptors(client); +@@ -1442,6 +1444,7 @@ SProcXvQueryEncodings(ClientPtr client) + { + register char n; + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryEncodings(client); +@@ -1452,6 +1455,7 @@ SProcXvGrabPort(ClientPtr client) + { + register char n; + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1463,6 +1467,7 @@ SProcXvUngrabPort(ClientPtr client) + { + register char n; + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1474,6 +1479,7 @@ SProcXvPutVideo(ClientPtr client) + { + register char n; + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1494,6 +1500,7 @@ SProcXvPutStill(ClientPtr client) + { + register char n; + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1514,6 +1521,7 @@ SProcXvGetVideo(ClientPtr client) + { + register char n; + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1534,6 +1542,7 @@ SProcXvGetStill(ClientPtr client) + { + register char n; + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1554,6 +1563,7 @@ SProcXvPutImage(ClientPtr client) + { + register char n; + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1578,6 +1588,7 @@ SProcXvShmPutImage(ClientPtr client) + { + register char n; + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1605,6 +1616,7 @@ SProcXvSelectVideoNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->drawable, n); + return ProcXvSelectVideoNotify(client); +@@ -1615,6 +1627,7 @@ SProcXvSelectPortNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvSelectPortNotify(client); +@@ -1625,6 +1638,7 @@ SProcXvStopVideo(ClientPtr client) + { + register char n; + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1636,6 +1650,7 @@ SProcXvSetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1647,6 +1662,7 @@ SProcXvGetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1658,6 +1674,7 @@ SProcXvQueryBestSize(ClientPtr client) + { + register char n; + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swaps(&stuff->vid_w, n); +@@ -1672,6 +1689,7 @@ SProcXvQueryPortAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryPortAttributes(client); +@@ -1682,6 +1700,7 @@ SProcXvQueryImageAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->id, n); + swaps(&stuff->width, n); +@@ -1694,6 +1713,7 @@ SProcXvListImageFormats(ClientPtr client) + { + register char n; + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvListImageFormats(client); -- Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
-
git-admin@x2go.org